Snort mailing list archives
RE: Newbie: What does this mean?
From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Tue, 12 Apr 2005 12:55:26 -0400
So far, I have not found anything anywhere to indicate what client software can be causing this alert to trigger. Perhaps someone else on the list has a clue. Bruce -----Original Message----- From: John Plate [mailto:plate () ache dk] Sent: Tuesday, April 12, 2005 10:19 AM To: Briggs, Bruce Subject: Re: [Snort-users] Newbie: What does this mean? Briggs, Bruce wrote:
Is your router doing NAT for devices behind it?
Yes.
If so, then all this log entry tells you is that some device behind
the
router sent out a packet to the dest IP addr that triggered this
alert. I've run clamscan without any hint of problems. Can you recommend other tools that can detect the guilty program? John
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of John
Plate
Sent: Tuesday, April 12, 2005 6:28 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Newbie: What does this mean? Hi I've found this in the log:
========================================================================
= # of from to method
========================================================================
= 30 192.168.1.2 65.54.186.250 (http_inspect) DOUBLE DECODING ATTACK The IP 192.168.1.2 is my router to the Net. Does this mean that MY server did the attack?
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie: What does this mean? John Plate (Apr 12)
- <Possible follow-ups>
- RE: Newbie: What does this mean? Briggs, Bruce (Apr 12)
- RE: Newbie: What does this mean? Briggs, Bruce (Apr 12)
- Re: RE: Newbie: What does this mean? Sean Brown (Apr 12)
- RE: Newbie: What does this mean? John Plate (Apr 13)
- RE: Newbie: What does this mean? Briggs, Bruce (Apr 12)
- Re: Newbie: What does this mean? John Plate (Apr 13)
- RE: Newbie: What does this mean? Information Technology (Apr 13)
- Re: Newbie: What does this mean? John Plate (Apr 13)