[Snort-users] snoop output contradicts with snort database
jsage at ...2022...
Sat Feb 9 16:20:03 EST 2002
On Sat, Feb 09, 2002 at 04:04:46PM -0700, Phil Wood wrote:
> On Sat, Feb 09, 2002 at 02:14:43PM -0800, Gongya Yu wrote:
> > Hi, all:
> > I have a win2k box compromised. After I boot up that box, I use snoop to find that it sends
> > lots of packets to remote machines on port 80 from random local ports. I set up a snort box to plugin to oracle
> > database. When I query tcphdr table, I found tcp_sport contains port 80, while tcp_dport contains random ports.
> Have you had a drink yet?
I don't think he gets one; maybe he has to buy two for everyone else on the list..
Most people don't type their own logfiles; but, what do I care?
More information about the Snort-users