[Snort-users] Newbie: What does this mean?

Information Technology itnotify at ...12789...
Wed Apr 13 08:16:02 EDT 2005


It sounds like your sensor is outside your firewall/NAT box.  If so, you
could run tcpdump, or your favorite packet sniffer, on the internal network,
which would allow you to correlate events with your snort sensor logs.  You
could use the time/date of the tcpdump output to determine which local
workstation or server is triggering the alert.  Just be sure that your
sensor and the PC you run tcpdump on are showing the same time (to allow you
to correlate events between the two).  

Nick

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of John Plate
Sent: Wednesday, April 13, 2005 10:32 AM
To: Briggs, Bruce
Cc: Snort Users
Subject: Re: [Snort-users] Newbie: What does this mean?

Briggs, Bruce wrote:

> Why do you believe it is your server which is doing this?
> Why not a workstation - some user going to Hotmail?

Well, I cannot know. ClamWin didn't find anything on the only possible
(Windows) computer. I could have been a Java Applet having "fun" on
the Net. 

I'm still wondering what it could be...

John




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list