[Snort-users] Newbie: What does this mean?

Briggs, Bruce Bruce.Briggs at ...13183...
Tue Apr 12 09:57:10 EDT 2005


So far, I have not found anything anywhere to indicate what client
software can be causing this alert to trigger. 
Perhaps someone else on the list has a clue.

Bruce

-----Original Message-----
From: John Plate [mailto:plate at ...13254...] 
Sent: Tuesday, April 12, 2005 10:19 AM
To: Briggs, Bruce
Subject: Re: [Snort-users] Newbie: What does this mean?

Briggs, Bruce wrote:

> Is your router doing NAT for devices behind it?

Yes.

> If so, then all this log entry tells you is that some device behind
the
> router sent out a packet to the dest IP addr that triggered this
alert.

I've run clamscan without any hint of problems. Can you recommend
other tools that can detect the guilty program?

John


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of John
Plate
> Sent: Tuesday, April 12, 2005 6:28 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Newbie: What does this mean?
> 
> Hi
> 
> I've found this in the log:
> 
>
========================================================================
> =
>  # of  from             to               method
>
========================================================================
> =
>  30  192.168.1.2      65.54.186.250    (http_inspect) DOUBLE DECODING
> ATTACK
> 
> The IP 192.168.1.2 is my router to the Net. 
> 
> Does this mean that MY server did the attack?




More information about the Snort-users mailing list