Snort mailing list archives
RE: the meaning with arrows in alerts?
From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Mon, 6 Aug 2001 16:18:42 +0300
Hi!
found this in my log: [**] [1:356:2] FTP passwd retreval attempt [**] [Classification: Potentially Bad Traffic] [Priority: 2] 08/06-14:10:46.916395 x.x.x.11:25733 -> x.x.x.8:21 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:149 ***AP*** Seq: 0xDA6FB967 Ack: 0x63800E38 Win: 0x2798 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS213] Now, normally, you would say the attempt was from .11 address, the IP
shown
before the '->' TO the IP after the '->'. But I have a feeling, if you look at the port numbers, that its the
way around, or? No, it is from ...11 to ...8. This alert is caused when an FTP client tries to retrieve the passwd file by sending command 'get /etc/passwd' or something like that. The command is sent from client (port > 1023) to FTP server via the FTP command channel (port 21). Yours, Jyri Hovila Information Security Specialist Tel: +358-41-448 3238 E-mail: jyri.hovila () iki fi Certifications: http://www.brainbench.com/transcript.jsp?pid=2301241 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- the meaning with arrows in alerts? Pontus Joakimsson (Aug 06)
- Help with logging structure Gerardo Gregory (Aug 06)
- RE: Help with logging structure John Berkers (Aug 07)
- RE: the meaning with arrows in alerts? Jyri Hovila (Aug 06)
- Re: the meaning with arrows in alerts? Martin Roesch (Aug 06)
- Help with logging structure Gerardo Gregory (Aug 06)