[Snort-users] snoop output contradicts with snort database

Phil Wood cpw at ...440...
Sat Feb 9 15:05:03 EST 2002


On Sat, Feb 09, 2002 at 02:14:43PM -0800, Gongya Yu wrote:
> Hi, all:
> 
>     I have a win2k box compromised. After I boot up that box, I use snoop to find that it sends
> 
> lots of packets to remote machines on port 80 from random local ports. I set up a snort box to plugin to oracle
> 
> database. When I query tcphdr table, I found tcp_sport contains port 80, while tcp_dport contains random ports.

Did you get some packets back from the servers your system was trying to hack?
And what are your $EXTERNAL_NET and  $HTTP_SERVERS variables set to as well
as your $HOME_NET?

  "any" by chance?

What rule triggered the the entries in your oracle database.  I assume you
are using ACID to output the sql?

Have you had a drink yet?

> 
> any suggestions.
> 
> Gongya Yu
> 
> =================================
> 
> 

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list