[Snort-users] BACKDOOR QAZ Worm Client Login access?

sart at ...11843... sart at ...11843...
Fri May 21 07:47:13 EDT 2004


>That sounds more like a bug in your version of snort.

I am using snort version 2.1.2.  with the default rule set for now.  What 
action should i take to fix the bug in my version of Snort?"


>Was the port on the destination even correct? (port 7597)

Do you mean in the payload section of acid?  The Org source and 
destination IP'sin the payload section are "unable to resolve address" and 
the Org.Source port and destination port are both zero.  I am assuming 
that means the answer to your question is no. 

I did however find that the destination IP in the IP section is my DNS 
server.  Since yesterday i have about 8 of these strange alerts.  The 
source is always the smtp server on the dmz, and the dest is one of 2 dns 
servers on the lan. 

Thanks  again, 
 
Seth Art
Computer Support Specialist
TrialGraphix - Exhibits, Technologies, and Trial Consulting
800-334-5403
305-576-5400
Fax: 305-576-0188
http://www.trialgraphix.com




More information about the Snort-users mailing list