[Snort-users] help with interpreting log

Bob Konigsberg bobkberg at ...12746...
Thu Feb 17 08:23:11 EST 2005

This is fairly normal (read ignore) for hotmail, and a number of other
sites.  What it refers to is the use of %20 type encoding for some
characters - then embedded in other encoding.

If all you're seeing is the client traffic - meaning that YOU don't have the
server, then don't worry.  At least that's been my experience.  I used to
get floods of these things.


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
tonycowling at ...3945...
Sent: Tuesday, February 15, 2005 6:59 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] help with interpreting log

for example I have these type logs from hotmail
[**] (http_inspect) DOUBLE DECODING ATTACK [**]

what more should I include for someone to shed light on an example log?
Is this something to be concerned about other than the fact that it is
hotmail for example?

I also have entries that start with:
[**] (portscan) Open Port [**]

Looks like a connection started by someone within my network.
What is the best way to start to get info on interpreting logs?

SF email is sponsored by - The IT Product Guide Read honest & candid reviews
on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list