Snort mailing list archives
Need help fast!
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Tue, 18 Sep 2001 19:10:11 -0400
Hello, Once on Thursday I noticed an outgoing telnet connection attempt on port 23 from my web server out to the Internet. Two days later I noticed an outgoing TFTP connection attempt (port 69) from the web same server out to the Internet. I've never seen these type of connection attempts before and they are definitely NOT a good sign. But even more strange is that Snort logs an alert for these connection attempts, but does NOT log any traces! I have never seen Snort do this before. Whenever there is an alert, there has ALWAYS been a corresponding trace to refer to. But for each of these connection attempts, I have nothing to refer to. I'm using Snort 1.8.1 b78 on Red Hat Linux 7.0. My questions for the group are: * Has anyone seen any unexplained telnet or tftp coming from any of their servers lately? Possibly from the new w32.nimda.a.mm worm? * Also, could this problem be a bug in Snort where it isn't logging traces properly all of the time? It logs traces fine for all of my other alerts. Thanks, Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Need help fast! Sheahan, Paul (PCLN-NW) (Sep 18)
- <Possible follow-ups>
- RE: Need help fast! Anthony Geoffron (Sep 18)