No subject


Thu Nov 23 16:36:19 EST 2017


denied.

-Joe

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Endre
> Szekely-Bencedi
> Sent: Wednesday, November 24, 2004 4:12 AM
> To: snort-users at lists.sourceforge.net
> Cc: Andras Kalmar; Basselgia, Barry A Mr (NAF Atsugi)
> Subject: RE: [Snort-users] exporting snort logs
>
>
>
> Hi, thanks for the reply.
> The idea is that before contacting those people I should know why these
> machines are trying to pass that router. :)
> We are a consultancy company that provides services to another company and
> we have a subnet in their network (A class ntework). So it is a huge
> network.
> The whole problem is this I believe, why these machines are trying to
> contact it (what software does this, actually...).
> I know only tcpdump to figure this out and tried it but didn't manage to
> see anything understable. There is a lot of 'spam' (packets) for
> example to
> an exchange server on customer side (that is normal).. and some packets
> that had 'SMB' somewhere.. perhaps it is something that tries to access
> netbios shares there, and those infamous netbios ports are denied.
> Anyway I am not sure anyone can help me with this, I'll have to answer the
> questions myself.
> A hint on some tools / methods for identifying traffic would be more than
> welcome, if possible.
>
> Thanks for your patience, I'm a security noob who has some clues about
> security / networking, but that's all. :) Sorry for that.
>
>
> Greetings,
> Endre Szekely-Bencedi
>
>
>
>
>
>
>                     "Basselgia, Barry A
>
>
>                     Mr (NAF Atsugi)"           To:     "'Endre
> Szekely-Bencedi'" <Endre.Szekely-Bencedi at ...12701...>,
>
>                     <BABasselgia at ...12708...
> snort-users at lists.sourceforge.net
>
>                     .navy.mil>                 cc:     Andras
> Kalmar <Andras.Kalmar at ...12701...>
>
>                                                Subject:     RE:
> [Snort-users] exporting snort logs
>
>                     11/24/2004 01:20 AM
>
>
>
>
>
>
>
>
>
>
>
>
> Can't help with the export thing.
>
> But, on your question regarding "communications administratively
> prohibited".  This means the router that is sending the messages is
> configured to block your network/ip address.  The only way to correct this
> would be to identify who the router(s) belongs to and contact them to find
> out why your being blocked.  So, this isn't really a "False Alarm".  And
> obviously, if you have 100,000 hits something on your network is trying to
> get through those routers.
>
>
>
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Endre
> Szekely-Bencedi
> Sent: Tuesday, November 23, 2004 8:36 PM
> To: snort-users at lists.sourceforge.net
> Cc: Andras Kalmar
> Subject: [Snort-users] exporting snort logs
>
>
> ...
> Also, how you guys manage to identify false alarms? I am getting
> alerts for
> "communication administratively prohibited" or something like that from a
> few routers outside of our network for 19 IP addresses (8 machines) from
> our network - there are like 140 machines - and this is up to almost
> 100,000. I did not manage to determinde yet what is causing this huge
> amount of alerts... tcpdump looks pretty encrypted to me, didn't see
> anything interesting yet just lots of packets towards our proxy server and
> to some exchange server...
>
> Any hints on how to do this? Perhaps some tools ... ?
>
> ...
>
> Greetings,
> Endre
>
> "THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE
> ADDRESSEE and may contain confidential and privileged information. If the
> reader of this message is not the intended recipient, you are
> notified that
> any dissemination, distribution or copy of this communication is strictly
> prohibited. If you have received this message by error, please notify us
> immediately, return the original mail to the sender and delete the message
> from your system."
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ---------------------------------------------------------
> This message has been scanned for viruses and dangerous
> content by the NAF Atsugi MailScanner.
>
>
>
>
> "THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE
> ADDRESSEE and may contain confidential and privileged information. If the
> reader of this message is not the intended recipient, you are
> notified that
> any dissemination, distribution or copy of this communication is strictly
> prohibited. If you have received this message by error, please notify us
> immediately, return the original mail to the sender and delete the message
> from your system."
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>





More information about the Snort-users mailing list