Security Incidents mailing list archives
Re: What is this?
From: Geoff the UNIX guy <galitz () UCLINK BERKELEY EDU>
Date: Wed, 14 Feb 2001 13:32:29 -0800
You can view the rules file for snort to determine which ports match this rule, but you should be aware that this particular rule can sometimes trigger on some peer-to-peer application sharing programs (a la napster or gnutella). If I were you, I'd inspect whatever machine is receiving the data and look for signs of intrusion, including running "dds" and "lsof" (if it is a UNIX box) and any other of your favorite techniques. FWIW, DMZ systems should be spot-checked periodically, anyway. -geoff On Wed, 14 Feb 2001, Simeon Johnston wrote:
We have been getting this in our snort logs for some time now and I am wondering exactly what it is. I searched for it on security focus and they say is that it is part of some ddos packages. It has been going to our firewall and to another machine in our DMZ. These are the only machines that were hit. Is there any danger from this? Is there a way to tell what port it is on? Is this a snort configuration problem? Any known vulnerabilities? I am running RedHat 6.2 on the firewall w/ IPChains. IDS193/ddos-stacheldraht server-spoof: (sender hear) -> (receiver here)
--------------------------------------------------- Geoff Galitz, galitz () uclink berkeley edu Research Computing College of Chemistry, UC Berkeley --------------------------------------------------- The laws of physics can be a harsh mistress... - Bender
Current thread:
- What is this? Simeon Johnston (Feb 14)
- Re: What is this? Max Gribov (Feb 14)
- Re: What is this? Andreas Östling (Feb 14)
- ddos-stacheldraht server-spoof alerts ( Was: What is this?) Rod Longanilla (Feb 14)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Jacek Lipkowski (Feb 15)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Stephen P. Berry (Feb 16)
- [no subject] Osvaldo J. Filho (Feb 16)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Daniel Keisling (Feb 16)
- Re: What is this? Andreas Östling (Feb 14)
- Re: What is this? Max Gribov (Feb 14)
- Re: What is this? Simeon Johnston (Feb 15)