[Snort-users] help with interpreting log
bobkberg at ...12746...
Thu Feb 17 08:23:11 EST 2005
This is fairly normal (read ignore) for hotmail, and a number of other
sites. What it refers to is the use of %20 type encoding for some
characters - then embedded in other encoding.
If all you're seeing is the client traffic - meaning that YOU don't have the
server, then don't worry. At least that's been my experience. I used to
get floods of these things.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
tonycowling at ...3945...
Sent: Tuesday, February 15, 2005 6:59 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] help with interpreting log
for example I have these type logs from hotmail
[**] (http_inspect) DOUBLE DECODING ATTACK [**]
what more should I include for someone to shed light on an example log?
Is this something to be concerned about other than the fact that it is
hotmail for example?
I also have entries that start with:
[**] (portscan) Open Port [**]
Looks like a connection started by someone within my network.
What is the best way to start to get info on interpreting logs?
SF email is sponsored by - The IT Product Guide Read honest & candid reviews
on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users