[Snort-users] snoop output contradicts with snort database

John Sage jsage at ...2022...
Sat Feb 9 16:20:03 EST 2002

On Sat, Feb 09, 2002 at 04:04:46PM -0700, Phil Wood wrote:
> On Sat, Feb 09, 2002 at 02:14:43PM -0800, Gongya Yu wrote:
> > Hi, all:
> > 
> > I have a win2k box compromised. After I boot up that box, I use snoop to find that it sends
> > 
> > lots of packets to remote machines on port 80 from random local ports. I set up a snort box to plugin to oracle
> > 
> > database. When I query tcphdr table, I found tcp_sport contains port 80, while tcp_dport contains random ports.

> Have you had a drink yet?

I don't think he gets one; maybe he has to buy two for everyone else on the list..

- John

Most people don't type their own logfiles;  but, what do I care?

More information about the Snort-users mailing list