[Snort-users] snoop output contradicts with snort database

John Sage jsage at ...2022...
Sat Feb 9 16:20:03 EST 2002


On Sat, Feb 09, 2002 at 04:04:46PM -0700, Phil Wood wrote:
> On Sat, Feb 09, 2002 at 02:14:43PM -0800, Gongya Yu wrote:
> > Hi, all:
> > 
> > I have a win2k box compromised. After I boot up that box, I use snoop to find that it sends
> > 
> > lots of packets to remote machines on port 80 from random local ports. I set up a snort box to plugin to oracle
> > 
> > database. When I query tcphdr table, I found tcp_sport contains port 80, while tcp_dport contains random ports.
> 
<snip>

> Have you had a drink yet?

I don't think he gets one; maybe he has to buy two for everyone else on the list..


- John

-- 
Most people don't type their own logfiles;  but, what do I care?




More information about the Snort-users mailing list