Snort mailing list archives

Tagged packets in logs

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Tue, 23 Dec 2003 23:22:27 +1300

Hi,
        I am getting a trickle of "tagged" packets turning up in ACID.  All
these packets have 80 as source port and most have no data, just
push+ack set.  A few have data and these alway start with a USER
<username><CRLF>PASS <password> .

I am using 2.0.4 with latest stable ruleset.  So far as I can tell there
are only two rules that currently use the tag option and neither target
port 80.  

Any idea what is going on?

BTW I'm using unified logging and mudpit to log to a mysql database.

-- 
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Tagged packets in logs Russell Fulton (Dec 23)
- <Possible follow-ups>
- RE: Tagged packets in logs Grejda, Eric (Dec 23)