Snort mailing list archives

ATTACK-RESPONSES id check returned root

From: "Romano, Chris" <CRomano () AtlasBD com>
Date: Tue, 30 Dec 2003 16:57:51 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I just got this alert for our snort sensor.  I think that it's a false
positive but am not sure how to check and want to see if anyone else has
seen this.  Both the source and dest. are mail servers. The source is a
from a list server that sends a good bit of emails to us and this is the
first time that I have seen this alert.  The source IP is 131.193.178.160
(stoneport.math.uic.edu - a.mx.cr.yp.to).  Any help would be greatly
appreciated.

Thanks,

Chris Romano

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBP/H03gvHK4/UMrUIEQIJCgCg9iVJSHV+lry98BnXLgnk+v8MT9wAnRbN
Q3+JYVAeh7qpWDZQC2Ern1GO
=eFFD
-----END PGP SIGNATURE-----

Current thread:

ATTACK-RESPONSES id check returned root Romano, Chris (Dec 30)
- Re: ATTACK-RESPONSES id check returned root sam (Dec 30)