Snort mailing list archives
RE: Newbie: What does this mean?
From: "Information Technology" <itnotify () ashgate com>
Date: Wed, 13 Apr 2005 11:12:11 -0400
It sounds like your sensor is outside your firewall/NAT box. If so, you could run tcpdump, or your favorite packet sniffer, on the internal network, which would allow you to correlate events with your snort sensor logs. You could use the time/date of the tcpdump output to determine which local workstation or server is triggering the alert. Just be sure that your sensor and the PC you run tcpdump on are showing the same time (to allow you to correlate events between the two). Nick -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of John Plate Sent: Wednesday, April 13, 2005 10:32 AM To: Briggs, Bruce Cc: Snort Users Subject: Re: [Snort-users] Newbie: What does this mean? Briggs, Bruce wrote:
Why do you believe it is your server which is doing this? Why not a workstation - some user going to Hotmail?
Well, I cannot know. ClamWin didn't find anything on the only possible (Windows) computer. I could have been a Java Applet having "fun" on the Net. I'm still wondering what it could be... John ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie: What does this mean? John Plate (Apr 12)
- <Possible follow-ups>
- RE: Newbie: What does this mean? Briggs, Bruce (Apr 12)
- RE: Newbie: What does this mean? Briggs, Bruce (Apr 12)
- Re: RE: Newbie: What does this mean? Sean Brown (Apr 12)
- RE: Newbie: What does this mean? John Plate (Apr 13)
- RE: Newbie: What does this mean? Briggs, Bruce (Apr 12)
- Re: Newbie: What does this mean? John Plate (Apr 13)
- RE: Newbie: What does this mean? Information Technology (Apr 13)
- Re: Newbie: What does this mean? John Plate (Apr 13)