Snort mailing list archives
Re: Snort-users digest, Vol 1 #951 - 16 msgs
From: "Mike Klinke" <LSOMike () telocity com>
Date: Tue, 21 Aug 2001 00:16:52 -0500
I'd guess one possiblility is that you have a user who's mailer is configured to pick up mail once a minute from a pop3 server and either she has someone pumping messages to her that are tripping your IDS or there's one message that isn't getting deleted from the mail server after it's being picked up and is constantly being re-sent whenever her mailer re-connects. How's her disk space? Regards, Mike Klinke
From: john.ruff () us abb com To: snort-users () lists sourceforge net Date: Mon, 20 Aug 2001 11:23:59 -0400 Subject: [Snort-users] Possible scr worm Any idea what might be causing this aler tot be generated? I realize it's
POP3
traffic (probably someone's internet mail acct.), but is there something
new out
there generating these alerts? I've actually got about 3600 of these
alerts
which just started Saturday(8/18/01). Need more info let me know. [**] [1:729:1] Virus - Possible scr Worm [**] 08/20-10:04:45.515817 216.136.173.10:110 -> 130.110.93.68:4062 TCP TTL:49 TOS:0x0 ID:2259 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x878CAF66 Ack: 0x2AE6A993 Win: 0x4470 TcpLen: 20 ***One thing additional...the source is the same IP address, the
destination is
an user pc on my network but the TCP ports on the destination are
increasing
incrementally with each attack (now up to 3700). View sample from
alert_fast
log: 08/20-03:55:25.262609 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3501 08/20-03:56:28.128075 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} 216.136.173.10:110 -> 130.110.93.68:3502 08/20-03:57:31.278385 [**] [1:729:1] Virus - Possible scr Worm [**] {TCP} Regards, John Ruff "Shortcuts make for long delays." - J.R.R. Tolken
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #951 - 16 msgs Mike Klinke (Aug 20)