[Snort-users] Question about rule 733

Luke Randall ljr at ...4180...
Thu Jun 12 10:38:05 EDT 2003


I have an alert logged from with the message: "Virus - Possible QAZ Worm
Calling Home" with a SID of 733.
I am new to snort and currently it is running on the internet gateway (which
runs NAT) for the local network. With this alert it says that the source
triggering this attack was actually an outside IP address (66.35.250.206),
whilst the destination recieving this attack was my external address (ie:
the one assigned to me by my ISP).
Does this mean that a computer on the local network is possibly infected
with this virus, and trying to call home to the outside IP address
(66.25.250.206) mentioned above? Or does it mean that the person at that IP
address potentially has that virus, and for some reason the virus tried to
send data to my local network?
I am concerned as if it is the former, then I need to investigate the
computers on my local network.

Any help would be much appreciated.

Luke






More information about the Snort-users mailing list