Snort mailing list archives
RE: Snort-users digest, Vol 1 #2508 - 4 msgs
From: "Jester, Allen" <AJester () chpk com>
Date: Tue, 19 Nov 2002 16:18:07 -0500
jonathan.schimkaitis () pfpc com -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Tuesday, November 19, 2002 3:04 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #2508 - 4 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. GNUTELLA goes berserk (Distribution Lists) 2. RE: spam (Distribution Lists) 3. RE: spam (Don) 4. RE: spam (Chris Merkel) --__--__-- Message: 1 Date: Tue, 19 Nov 2002 13:33:20 -0600 (CST) From: "Distribution Lists" <dist-lists () e-securenetworks net> To: <snort-users () lists sourceforge net> Subject: [Snort-users] GNUTELLA goes berserk I noticed this a while back. Every now and then snort will pick up lots of portscan on port 6346, which is used by Gnutella. I know that that there are users on my private LAN that use Gnutella, but not at the times that Snort has detected the portscans. Has anyone seen anything similar ? Any explanation to this ? 07/24-03:26:00.670670 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-03:30:29.695242 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-03:31:34.950557 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-03:32:42.764238 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-03:33:40.086794 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-03:35:41.910639 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-03:36:51.916230 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-14:51:24.972247 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-14:54:22.552018 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-14:57:36.724448 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-15:19:40.723331 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-15:22:12.266157 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-15:27:32.316704 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-15:28:36.327405 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-15:29:40.338466 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-15:31:20.204561 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-16:19:59.870509 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-16:23:56.688415 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] 07/24-16:28:48.996486 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 6346 from 148.63.173.101 (STEALTH) [**] --__--__-- Message: 2 Date: Tue, 19 Nov 2002 13:36:46 -0600 (CST) Subject: RE: [Snort-users] spam From: "Distribution Lists" <dist-lists () e-securenetworks net> To: <Keith.McCammon () eadvancemed com> Cc: <snort-users () lists sourceforge net> Report those AOL MTA's to mail-abuse, get them added to the RBL database. That will teach AOL :)
Wow. Spam.-----Original Message----- From: Ted Stringer [mailto:TedS () lancasterlawyers com] Sent: Tuesday, November 19, 2002 11:19 AM To: snort-users () lists sourceforge net Subject: [Snort-users] spam I was just wondering if anyone else was getting spam from AOL mail servers with the from address the same as the to address. This just started showing up in my bosses mail box. Ted Stringer teds () lancasterlawyers com Systems Administrator Lancaster & Eure P.A. ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
--__--__-- Message: 3 From: "Don" <Don () WeberOnTheWeb com> To: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] spam Date: Tue, 19 Nov 2002 11:40:06 -0800 someone is trying to use your mailserver as a gateway, it is a common spammer technique to use the @localhost as the from address for spam, and basically your mail server has no anti-spam measures in place, get me off list and i can point you in a good direction to help alleviate that. don at weberontheweb dot com
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Ted Stringer Sent: Tuesday, November 19, 2002 10:33 AM To: McCammon, Keith; snort-users () lists sourceforge net Subject: RE: [Snort-users] spam I know it was kinda a moronic (is that a word) question. The thing that got my interest was the using the same address in the from and to fields. I just thought it might be something new that the spammers were tring to get by blacklists. Ted Stringer teds () lancasterlawyers com Systems Administrator Lancaster & Eure P.A. -----Original Message----- From: McCammon, Keith [mailto:Keith.McCammon () eadvancemed com] Sent: Tuesday, November 19, 2002 13:17 To: snort-users () lists sourceforge net Subject: RE: [Snort-users] spam Wow. Spam.-----Original Message----- From: Ted Stringer [mailto:TedS () lancasterlawyers com] Sent: Tuesday, November 19, 2002 11:19 AM To: snort-users () lists sourceforge net Subject: [Snort-users] spam I was just wondering if anyone else was getting spam from AOL mail servers with the from address the same as the to address. This just started showing up in my bosses mail box. Ted Stringer teds () lancasterlawyers com Systems Administrator Lancaster & Eure P.A. ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
--__--__-- Message: 4 From: Chris Merkel <chrism () geo-synthetics com> To: snort-users () lists sourceforge net Subject: RE: [Snort-users] spam Date: Tue, 19 Nov 2002 13:54:47 -0600 Anyone can do this, there's no trickiness invloved: From: spammer () aol com To: spammer () aol com Bcc: yourboss () shouldbeusingaol com, everyone () else com, etc. The message that comes through looks exactly like the one you described. Nothing wrong with sending mail to yourself, especially is you have multiple personalities like me (and me). ;-) Chris Merkel
-----Original Message----- From: Ted Stringer [mailto:TedS () lancasterlawyers com] Sent: Tuesday, November 19, 2002 12:33 PM To: McCammon, Keith; snort-users () lists sourceforge net Subject: RE: [Snort-users] spam I know it was kinda a moronic (is that a word) question. The thing that got my interest was the using the same address in the from and to fields. I just thought it might be something new that the spammers were tring to get by blacklists. Ted Stringer teds () lancasterlawyers com Systems Administrator Lancaster & Eure P.A. -----Original Message----- From: McCammon, Keith [mailto:Keith.McCammon () eadvancemed com] Sent: Tuesday, November 19, 2002 13:17 To: snort-users () lists sourceforge net Subject: RE: [Snort-users] spam Wow. Spam.-----Original Message----- From: Ted Stringer [mailto:TedS () lancasterlawyers com] Sent: Tuesday, November 19, 2002 11:19 AM To: snort-users () lists sourceforge net Subject: [Snort-users] spam I was just wondering if anyone else was getting spam from AOL mail servers with the from address the same as the to address. This just started showing up in my bosses mail box. Ted Stringer teds () lancasterlawyers com Systems Administrator Lancaster & Eure P.A.
--__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #2508 - 4 msgs Jester, Allen (Nov 19)