[Snort-users] Newbie: What does this mean?
Bruce.Briggs at ...13183...
Tue Apr 12 09:57:10 EDT 2005
So far, I have not found anything anywhere to indicate what client
software can be causing this alert to trigger.
Perhaps someone else on the list has a clue.
From: John Plate [mailto:plate at ...13254...]
Sent: Tuesday, April 12, 2005 10:19 AM
To: Briggs, Bruce
Subject: Re: [Snort-users] Newbie: What does this mean?
Briggs, Bruce wrote:
> Is your router doing NAT for devices behind it?
> If so, then all this log entry tells you is that some device behind
> router sent out a packet to the dest IP addr that triggered this
I've run clamscan without any hint of problems. Can you recommend
other tools that can detect the guilty program?
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of John
> Sent: Tuesday, April 12, 2005 6:28 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Newbie: What does this mean?
> I've found this in the log:
> # of from to method
> 30 192.168.1.2 18.104.22.168 (http_inspect) DOUBLE DECODING
> The IP 192.168.1.2 is my router to the Net.
> Does this mean that MY server did the attack?
More information about the Snort-users