Snort mailing list archives
Re: BACKDOOR QAZ Worm Client Login access?
From: sart () trialgraphix com
Date: Fri, 21 May 2004 10:43:59 -0400
That sounds more like a bug in your version of snort.
I am using snort version 2.1.2. with the default rule set for now. What action should i take to fix the bug in my version of Snort?"
Was the port on the destination even correct? (port 7597)
Do you mean in the payload section of acid? The Org source and destination IP'sin the payload section are "unable to resolve address" and the Org.Source port and destination port are both zero. I am assuming that means the answer to your question is no. I did however find that the destination IP in the IP section is my DNS server. Since yesterday i have about 8 of these strange alerts. The source is always the smtp server on the dmz, and the dest is one of 2 dns servers on the lan. Thanks again, Seth Art Computer Support Specialist TrialGraphix - Exhibits, Technologies, and Trial Consulting 800-334-5403 305-576-5400 Fax: 305-576-0188 http://www.trialgraphix.com ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BACKDOOR QAZ Worm Client Login access? False positive? sart (May 20)
- Message not available
- Re: BACKDOOR QAZ Worm Client Login access? Matt Kettler (May 20)
- Re: BACKDOOR QAZ Worm Client Login access? sart (May 21)
- Re: BACKDOOR QAZ Worm Client Login access? Matt Kettler (May 20)
- Message not available