[Snort-users] exporting snort logs

Endre Szekely-Bencedi Endre.Szekely-Bencedi at ...12701...
Wed Nov 24 01:16:56 EST 2004


Hi, thanks for the reply.
The idea is that before contacting those people I should know why these
machines are trying to pass that router. :)
We are a consultancy company that provides services to another company and
we have a subnet in their network (A class ntework). So it is a huge
network.
The whole problem is this I believe, why these machines are trying to
contact it (what software does this, actually...).
I know only tcpdump to figure this out and tried it but didn't manage to
see anything understable. There is a lot of 'spam' (packets) for example to
an exchange server on customer side (that is normal).. and some packets
that had 'SMB' somewhere.. perhaps it is something that tries to access
netbios shares there, and those infamous netbios ports are denied.
Anyway I am not sure anyone can help me with this, I'll have to answer the
questions myself.
A hint on some tools / methods for identifying traffic would be more than
welcome, if possible.

Thanks for your patience, I'm a security noob who has some clues about
security / networking, but that's all. :) Sorry for that.


Greetings,
Endre Szekely-Bencedi



                                                                                                                                                    
                    "Basselgia, Barry A                                                                                                             
                    Mr (NAF Atsugi)"           To:     "'Endre Szekely-Bencedi'" <Endre.Szekely-Bencedi at ...12701...>,                                
                    <BABasselgia at ...12708...        snort-users at lists.sourceforge.net                                                                    
                    .navy.mil>                 cc:     Andras Kalmar <Andras.Kalmar at ...12701...>                                                     
                                               Subject:     RE: [Snort-users] exporting snort logs                                                  
                    11/24/2004 01:20 AM                                                                                                             
                                                                                                                                                    
                                                                                                                                                    




Can't help with the export thing.

But, on your question regarding "communications administratively
prohibited".  This means the router that is sending the messages is
configured to block your network/ip address.  The only way to correct this
would be to identify who the router(s) belongs to and contact them to find
out why your being blocked.  So, this isn't really a "False Alarm".  And
obviously, if you have 100,000 hits something on your network is trying to
get through those routers.




-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Endre
Szekely-Bencedi
Sent: Tuesday, November 23, 2004 8:36 PM
To: snort-users at lists.sourceforge.net
Cc: Andras Kalmar
Subject: [Snort-users] exporting snort logs


...
Also, how you guys manage to identify false alarms? I am getting alerts for
"communication administratively prohibited" or something like that from a
few routers outside of our network for 19 IP addresses (8 machines) from
our network - there are like 140 machines - and this is up to almost
100,000. I did not manage to determinde yet what is causing this huge
amount of alerts... tcpdump looks pretty encrypted to me, didn't see
anything interesting yet just lots of packets towards our proxy server and
to some exchange server...

Any hints on how to do this? Perhaps some tools ... ?

...

Greetings,
Endre

"THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE
ADDRESSEE and may contain confidential and privileged information. If the
reader of this message is not the intended recipient, you are notified that
any dissemination, distribution or copy of this communication is strictly
prohibited. If you have received this message by error, please notify us
immediately, return the original mail to the sender and delete the message
from your system."



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

---------------------------------------------------------
This message has been scanned for viruses and dangerous
content by the NAF Atsugi MailScanner.




"THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE
ADDRESSEE and may contain confidential and privileged information. If the
reader of this message is not the intended recipient, you are notified that
any dissemination, distribution or copy of this communication is strictly
prohibited. If you have received this message by error, please notify us
immediately, return the original mail to the sender and delete the message
from your system."





More information about the Snort-users mailing list