[Snort-users] ATTACK-RESPONSES id check returned root

Our World Is Here info at ...2282...
Mon Oct 24 16:35:53 EDT 2005


I see this so often I've revised this sid (498 I think) to ignore anything
coming via POP port 110.  If I see it on 25 I get worried...


Cheers,


James Friesen, CIO

Lucretia Enterprises
"Our World Is Here..."
Info at lucretia dot ca
http://lucretia.ca


> -----Original Message-----
> From: cc [mailto:cc at ...9707...]
> Sent: Saturday, October 22, 2005 12:17 AM
> To: Chris Romano
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] ATTACK-RESPONSES id check returned root
>
> Chris Romano sighed and wrote::
>
> > I came in this moring and checked my snort alerts (morning
> routine),
> > and noticed the following:
> >
> > ATTACK-RESPONSES id check returned root 2005-10-21 07:40:32
> > 82.165.25.125:80<http://82.165.25.125:80>
> > 10.10.10.5:51949 <http://10.10.10.5:51949> TCP
> >
>
> This is very interesting.  Snort tagged your message with the
> same exact alert, but this time it was through port 25
> (SMTP).  At first, I freaked when I saw that on BASE.  Then I
> checked the payload and got worried.
>
> However, looking at the port, and noticing it was 25, and
> finding it in my email, I sighed a relief.  :)
>
> Edmund
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads,
> discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>






More information about the Snort-users mailing list