Snort mailing list archives
Re: RE: Newbie: What does this mean?
From: Sean Brown <sblinux () shaw ca>
Date: Tue, 12 Apr 2005 11:53:45 -0600
I have been getting the same entry in my logs with Hotmail/Microsoft servers being the destination and my public IP as the source. Guess where 65.54.186.250 points to. I've just been ignoring it. ----- Original Message ----- From: "Briggs, Bruce" <Bruce.Briggs () suny edu> Date: Tuesday, April 12, 2005 10:55 am Subject: RE: [Snort-users] Newbie: What does this mean?
So far, I have not found anything anywhere to indicate what client software can be causing this alert to trigger. Perhaps someone else on the list has a clue. Bruce -----Original Message----- From: John Plate [plate () ache dk] Sent: Tuesday, April 12, 2005 10:19 AM To: Briggs, Bruce Subject: Re: [Snort-users] Newbie: What does this mean? Briggs, Bruce wrote:Is your router doing NAT for devices behind it?Yes.If so, then all this log entry tells you is that some device behindtherouter sent out a packet to the dest IP addr that triggered thisalert. I've run clamscan without any hint of problems. Can you recommend other tools that can detect the guilty program? John-----Original Message----- From: snort-users-admin () lists sourceforge net [snort-users-admin () lists sourceforge net] On Behalf Of JohnPlateSent: Tuesday, April 12, 2005 6:28 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Newbie: What does this mean? Hi I've found this in the log:========================================================================= # of from to method========================================================================= 30 192.168.1.2 65.54.186.250 (http_inspect) DOUBLEDECODING> ATTACKThe IP 192.168.1.2 is my router to the Net. Does this mean that MY server did the attack?------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&opÕick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list×ort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie: What does this mean? John Plate (Apr 12)
- <Possible follow-ups>
- RE: Newbie: What does this mean? Briggs, Bruce (Apr 12)
- RE: Newbie: What does this mean? Briggs, Bruce (Apr 12)
- Re: RE: Newbie: What does this mean? Sean Brown (Apr 12)
- RE: Newbie: What does this mean? John Plate (Apr 13)
- RE: Newbie: What does this mean? Briggs, Bruce (Apr 12)
- Re: Newbie: What does this mean? John Plate (Apr 13)
- RE: Newbie: What does this mean? Information Technology (Apr 13)
- Re: Newbie: What does this mean? John Plate (Apr 13)