[Snort-users] snoop output contradicts with snort database
cpw at ...440...
Sat Feb 9 15:05:03 EST 2002
On Sat, Feb 09, 2002 at 02:14:43PM -0800, Gongya Yu wrote:
> Hi, all:
> I have a win2k box compromised. After I boot up that box, I use snoop to find that it sends
> lots of packets to remote machines on port 80 from random local ports. I set up a snort box to plugin to oracle
> database. When I query tcphdr table, I found tcp_sport contains port 80, while tcp_dport contains random ports.
Did you get some packets back from the servers your system was trying to hack?
And what are your $EXTERNAL_NET and $HTTP_SERVERS variables set to as well
as your $HOME_NET?
"any" by chance?
What rule triggered the the entries in your oracle database. I assume you
are using ACID to output the sql?
Have you had a drink yet?
> any suggestions.
> Gongya Yu
Phil Wood, cpw at ...440...
More information about the Snort-users