Hosting Provided By

[Snort-sigs] Snort logs

From: Bryan Irvine <bryan.irvine(at)kingcountyjournal.com>
Date: Tue Apr 22 2003 - 19:34:50 EDT

Is there a way to get more info from the snort logs?

I got this:
###Begin paste###

[**] Virus - Possible NAIL Worm [**]
04/15-16:31:08.887271 207.109.73.101:110 -> 64.1.201.130:8136 TCP TTL:45 TOS:0x0 ID:38869 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x7B1C0E7A Ack: 0x2045F0E7 Win: 0x16D0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
###End paste###

It shows someone on one of our networks, downloading a potential virus from our mail server.

But, since this firewall is running NAT, I don't know who. Will snort run on more than one interface so I could track and see where it went (for next time, I'm sure that info is lost this time)?

--Bryan

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue Apr 22 20:10:59 2003

This message: [ Message body ]
Next message: Johnathan Norman: "Re: [Snort-sigs] Lots of triggers from NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"
Previous message: Ian Macdonald: "[Snort-sigs] Lots of triggers from NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"
Next in thread: Hugo van der Kooij: "Re: [Snort-sigs] Snort logs"
Reply: Hugo van der Kooij: "Re: [Snort-sigs] Snort logs"
Reply: Robson Paniago Vasconcelos: "Re: [Snort-sigs] Snort logs"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT