[Snort-users] snoop output contradicts with snort database

Gongya Yu yu at ...4361...
Sat Feb 9 14:19:03 EST 2002


Hi, all:

    I have a win2k box compromised. After I boot up that box, I use snoop to find that it sends

lots of packets to remote machines on port 80 from random local ports. I set up a snort box to plugin to oracle

database. When I query tcphdr table, I found tcp_sport contains port 80, while tcp_dport contains random ports.

any suggestions.

Gongya Yu

=================================


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020209/29666ff8/attachment.html>


More information about the Snort-users mailing list