[Snort-users] Newbie: What does this mean?

Sean Brown sblinux at ...9344...
Tue Apr 12 10:55:54 EDT 2005


I have been getting the same entry in my logs with Hotmail/Microsoft servers being the destination and my public IP as the source. Guess where 65.54.186.250 points to.

I've just been ignoring it.

----- Original Message -----
From: "Briggs, Bruce" <Bruce.Briggs at ...13183...>
Date: Tuesday, April 12, 2005 10:55 am
Subject: RE: [Snort-users] Newbie: What does this mean?

> So far, I have not found anything anywhere to indicate what client
> software can be causing this alert to trigger. 
> Perhaps someone else on the list has a clue.
> 
> Bruce
> 
> -----Original Message-----
> From: John Plate [plate at ...13254...] 
> Sent: Tuesday, April 12, 2005 10:19 AM
> To: Briggs, Bruce
> Subject: Re: [Snort-users] Newbie: What does this mean?
> 
> Briggs, Bruce wrote:
> 
> > Is your router doing NAT for devices behind it?
> 
> Yes.
> 
> > If so, then all this log entry tells you is that some device behind
> the
> > router sent out a packet to the dest IP addr that triggered this
> alert.
> 
> I've run clamscan without any hint of problems. Can you recommend
> other tools that can detect the guilty program?
> 
> John
> 
> 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [snort-users-admin at lists.sourceforge.net] On Behalf Of John
> Plate
> > Sent: Tuesday, April 12, 2005 6:28 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Newbie: What does this mean?
> > 
> > Hi
> > 
> > I've found this in the log:
> > 
> >
> ========================================================================
> > =
> >  # of  from             to               method
> >
> ========================================================================
> > =
> >  30  192.168.1.2      65.54.186.250    (http_inspect) DOUBLE 
> DECODING> ATTACK
> > 
> > The IP 192.168.1.2 is my router to the Net. 
> > 
> > Does this mean that MY server did the attack?
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real 
> users.Discover which products truly live up to the hype. Start 
> reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&opÕick
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list×ort-users
>





More information about the Snort-users mailing list