Snort mailing list archives
RE: No clue?
From: John Friedman <jfriedmanx () yahoo com>
Date: Tue, 15 Nov 2005 07:44:38 -0800 (PST)
Hi all, Since I did not get any reply on this, is there any way to suppress or pass this alert? Thanks, John John Friedman <jfriedmanx () yahoo com> wrote: Thanks for your pointing out. Here is the info again: [input] ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > [input] [input] #0-(2-4681) [snort] spp_portscan: End of portscan from 10.1.10.6: TOTAL time(212s) hosts(6) TCP(22) UDP(0) 2005-11-11 11:39:27 10.1.10.6 unknown IP [input] [input] #1-(2-4680) [snort] spp_portscan from 10.1.10.6: 1 connections across 1 hosts: TCP(1), UDP(0) 2005-11-11 11:39:23 10.1.10.6 unknown IP [input] [input] #2-(2-4679) [snort] spp_portscan from 10.1.10.6: 1 connections across 1 hosts: TCP(1), UDP(0) 2005-11-11 11:39:20 10.1.10.6 unknown IP [input] [input] #3-(2-4678) [snort] spp_portscan from 10.1.10.6: 2 connections across 2 hosts: TCP(2), UDP(0) 2005-11-11 11:39:13 10.1.10.6 unknown IP [input] [input] #4-(2-4677) [snort] spp_portscan from 10.1.10.6: 5 connections across 2 hosts: TCP(5), UDP(0) 2005-11-11 11:38:58 10.1.10.6 unknown IP Our World Is Here <info () lucretia ca> wrote: Um, this looks like useless info. Could you try cleaning it up and remove the urls? I doubt I'll be able to view these alerts directly from your base server unless you give me a real world IP. J. j e r u v y a t s h a w d o t c a
-----Original Message----- From: John Friedman [mailto:jfriedmanx () yahoo com] Sent: Friday, November 11, 2005 8:07 AM To: snort Subject: [Snort-users] No clue? Hi all, I consistenly get these alerts from the Citrix server: ID < um_result_rows=15¤t_view=0&sort_order=sig_a> Signature > >
um_result_rows=15¤t_view=0&sort_order=sig_d> < > um_result_rows=15¤t_view=0&sort_order=time_a> Timestamp > > um_result_rows=15¤t_view=0&sort_order=time_d> < > um_result_rows=15¤t_view=0&sort_order=sip_a> Source > Address >
um_result_rows=15¤t_view=0&sort_order=sip_d> < >
um_result_rows=15¤t_view=0&sort_order=dip_a> Dest. > Address >
um_result_rows=15¤t_view=0&sort_order=dip_d> < >
um_result_rows=15¤t_view=0&sort_order=proto_a> Laye r 4 > Proto >
um_result_rows=15¤t_view=0&sort_order=proto_d> #0-(2-4654) -4654%29&sort_order=> [snort >
]
spp_portscan: End of portscan from 10.1.10.6 etmask=32> : TOTAL time(17s) hosts(2) TCP(5) UDP(0) >
2005-11-11 09:59:09 10.1.10.6
etmask=32> unknown >
IP
#1-(2-4653) -4653%29&sort_order=> [snort >
] spp_portscan
from 10.1.10.6 etmask=32> : 5 connections across 2 hosts: TCP(5), UDP(0) >
2005-11-11 09:58:20 10.1.10.6
etmask=32> unknown >
IP
no clue what it does mean? the destination IP is unknown and can anyone help me out? Thanks, John ________________________________ Yahoo! FareChase - Search multiple travel sites in one click. X3MDOTY2ODgxNjkEcG9zAzEEc2VjA21haWwtZm9vdGVyBHNsawNmYw--/SIG=>
110oav78o/**http%3a//farechase.yahoo.com/>
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection arou nd http://mail.yahoo.com --------------------------------- Yahoo! FareChase - Search multiple travel sites in one click. --------------------------------- Yahoo! FareChase - Search multiple travel sites in one click.
Current thread:
- No clue? John Friedman (Nov 11)
- <Possible follow-ups>
- RE: No clue? John Friedman (Nov 11)
- RE: No clue? John Friedman (Nov 15)
- Re: No clue? Matt Kettler (Nov 15)
- Re: No clue? John Friedman (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- RE: No clue? Briggs, Bruce (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- Re: No clue? Joel Esler (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- Re: No clue? John Friedman (Nov 15)
- Re: No clue? Joel Esler (Nov 15)
- Re: No clue? John Friedman (Nov 16)
- Re: No clue? John Friedman (Nov 16)