![snort logo](/images/snort-logo.png)
Snort mailing list archives
readme.eml Part II
From: "Basil Saragoza" <snortlst () hotmail com>
Date: Mon, 25 Mar 2002 15:16:53 -0500
This is the decoded payload from the readme.eml attempt I receive: ts port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl girls url_regex -i aaaaa adult adserv ashole ... acl music url_regex \.mp3 \.mpeg \.mpg \.mov \.avi \.asf acl nimda url_regex -i readme.eml acl valid_url url_regex gsm\.hu index\.hu origo\.hu cisco\.com tele-satellite\.com satcodx\.com acl max_user_conn maxconn 5 acl all src 10.0.0.0/255.255.0.0 acl petzval srcdomain "/etc/s It looks very much like entries from squid.conf file, besides that my squid.conf doesn't contain the following lines: acl CONNECT method CONNECT acl girls url_regex -i aaaaa adult adserv ashole ... acl music url_regex \.mp3 \.mpeg \.mpg \.mov \.avi \.asf acl nimda url_regex -i readme.eml acl valid_url url_regex gsm\.hu index\.hu origo\.hu cisco\.com tele-satellite\.com satcodx\.com acl max_user_conn maxconn 5 acl petzval srcdomain "/etc/s The rest of the lines are present and acl all src 10.0.0.0/255.255.0.0 is the lien I created myself and 'all' is the acl I created, so some parts from the payload contain valis lines from my squid.conf. (run squid proxy on linux machine for internet connections.) Is my squid hacked, how should I interpret this payload? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- readme.eml Part II Basil Saragoza (Mar 25)