Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Aurora Exploit Attempt Alert One Hour Delay

From: Latonya Hall <lhall () vahna net>
Date: Thu, 23 Jan 2014 17:22:14 -0500
01/23/14-10:21:11.663009 [**] [1:26569:3] BROWSER-IE Microsoft Internet
Explorer null object access attempt [**] [Classification: Attempted User
Privilege Gain] [Priority: 1] {TCP} 192.168.2.172:8080 -> 192.168.2.224:1081
On Jan 23, 2014 5:09 PM, "Mike Miller" <mike () millertwinracing com> wrote:


What's the SID for the rule?


On Thu, Jan 23, 2014 at 2:41 PM, Latonya Hall <lhall () vahna net> wrote:


I am tailing the file.
On Jan 23, 2014 4:28 PM, "Mike Miller" <mike () millertwinracing com> wrote:


Is it really an hour difference (are you tailing the file live), or
could there be some time skew due to Timezone, Daylight Savings, or
misconfigured clocks?


On Thu, Jan 23, 2014 at 12:45 PM, LaTonya Hall <lhall () vahna net> wrote:


Fast alert to a text file.

*LaTonya Hall*

*Vahna, Inc. | Cyber Security Solutions*
202.803.6900 x104
1211 Connecticut Ave NW
Suite 250
Washington, DC 20036
www.vahna.com




On Jan 23, 2014, at 2:43 PM, Kevin Ross <kevross33 () googlemail com>
wrote:

How are you logging this? It is likely either timezone stuff on local
system, in barnyard or if using something like Snorby the correct timezone
not being set such as GMT. So while the alert is generated the time is
appearing as 1 hour later.


On 23 January 2014 16:28, LaTonya Hall <lhall () vahna net> wrote:


There is about a one hour delay from exploit attempt to snort
alert…any ideas?

*-LaTonya*





------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.

http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!






------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.

http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!







------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: