[Snort-users] snoop output contradicts with snort database

Phil Wood cpw at ...440...
Sat Feb 9 15:05:03 EST 2002

On Sat, Feb 09, 2002 at 02:14:43PM -0800, Gongya Yu wrote:
> Hi, all:
>     I have a win2k box compromised. After I boot up that box, I use snoop to find that it sends
> lots of packets to remote machines on port 80 from random local ports. I set up a snort box to plugin to oracle
> database. When I query tcphdr table, I found tcp_sport contains port 80, while tcp_dport contains random ports.

Did you get some packets back from the servers your system was trying to hack?
And what are your $EXTERNAL_NET and  $HTTP_SERVERS variables set to as well
as your $HOME_NET?

  "any" by chance?

What rule triggered the the entries in your oracle database.  I assume you
are using ACID to output the sql?

Have you had a drink yet?

> any suggestions.
> Gongya Yu
> =================================

Phil Wood, cpw at ...440...

More information about the Snort-users mailing list