[Snort-users] Alert question???

quentyn at ...3871... quentyn at ...3871...
Tue Aug 13 09:24:02 EDT 2002


Know How wrote:
> 
> Hello,
>    I was going through snort logs and i see lot of "PRON virgin" alerts.
> Source (NN.NN.NN.NN) is the ip address of a hosted web server at our site.
> Destination is comming from different location as shown below.
> 
> #764-(5-7743)        PORN virgin        2002-08-13 10:39:09
> NN.NN.NN.NN:80        66.56.130.252:4920        TCP
> 
> We are seeing lot of "PRON Virgin" alerts shown for all ip address (source)
> where we have hosted website. We have couple of website hosted and we are
> getting above alerts for all of them. Is this a attack??? Please let me
> know.
> 


err maybe you have some "kick ass porn" ( to quote snort) being hosted
at that site... have you reviewed the sites and campared them to the
snort rule that is being triggered ?

you need to tell us the IP of NN.NN.NN.NN so that others on the list can
<ahem> review it ?


-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
`The purpose of a windowing system is to put some amusing fluff around
your one almighty
emacs window.' 
   Mark on gnu.emacs.help




More information about the Snort-users mailing list