Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users digest, Vol 1 #951 - 16 msgs

From: "Mike Klinke" <LSOMike () telocity com>
Date: Tue, 21 Aug 2001 00:16:52 -0500


I'd guess one possiblility is that you have a user who's mailer is
configured to pick up mail once a minute from a pop3 server and either she
has someone pumping messages to her that are tripping your IDS or there's
one message that isn't getting deleted from the mail server after it's being
picked up and is constantly being re-sent whenever her mailer re-connects.
How's her disk space?

Regards, Mike Klinke



From: john.ruff () us abb com
To: snort-users () lists sourceforge net
Date: Mon, 20 Aug 2001 11:23:59 -0400
Subject: [Snort-users] Possible scr worm



Any idea what might be causing this aler tot be generated?  I realize it's

POP3

traffic (probably someone's internet mail acct.), but is there something

new out

there generating these alerts?  I've actually got about 3600 of these

alerts

which just started Saturday(8/18/01).  Need more info let me know.

[**] [1:729:1] Virus - Possible scr Worm [**]
08/20-10:04:45.515817 216.136.173.10:110 -> 130.110.93.68:4062
TCP TTL:49 TOS:0x0 ID:2259 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x878CAF66  Ack: 0x2AE6A993  Win: 0x4470  TcpLen: 20

***One thing additional...the source is the same IP  address, the

destination is

an user pc on my network but the TCP ports on the destination are

increasing

incrementally with each attack (now up to 3700).  View sample from

alert_fast

log:

08/20-03:55:25.262609  [**] [1:729:1] Virus - Possible scr Worm [**] {TCP}
216.136.173.10:110 -> 130.110.93.68:3501
08/20-03:56:28.128075  [**] [1:729:1] Virus - Possible scr Worm [**] {TCP}
216.136.173.10:110 -> 130.110.93.68:3502
08/20-03:57:31.278385  [**] [1:729:1] Virus - Possible scr Worm [**] {TCP}

Regards,
John Ruff

"Shortcuts make for long delays." - J.R.R. Tolken







_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: