Snort mailing list archives
Re: Snort, Queso and iptables [FIDUCIA virengeprüft - ohne Gewähr, daß alle bekannten Viren und deren Varianten erkannt wurden.]
From: "Thomas Schweikle" <tschweikle () fiducia de>
Date: Tue, 9 Oct 2001 17:21:42 +0100
Just about every other day, snort reports a 'Possible Queso Fingerprint attempt' from a machine at kernel.org (most frequently mirrors.kernel.org). This is puzzling to me for several reasons:
Questo is a simple program to find out what OS your host is using. Sometimes it misses, but most it guesses correct. Nothing to worry about. Someone was trying to find out hat OS you where using. Mostly for statistics, just to see what OS people use to surf there site (sometimes interessting to have an idea what folks are there out there).
With whitehats.com being down, I was unable to determine what a Queso Fingerprint is. Looks like some probe of my auth port, but I have no idea what it is actually trying to do. I believe that the people at kernel.org are good and righteous. Why would they try to probe my auth port.
To find out if there is a user authentication daemon running. This would deliver some information without gussing via questo.
Port 113 should be hidden behind my iptables firewall. In fact, I tried to connect to this port from the outside and was unsuccessful. Does snort actually analyze packets before they hit iptables? That seems somewhat weird.
snort listens using promiscous mode. If you have snort running an your firewall it will see all packets before they are filtered by other software.
Could anyone please shed some light on one or more of my questions?
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort, Queso and iptables [FIDUCIA virengeprüft - ohne Gewähr, daß alle bekannten Viren und deren Varianten erkannt wurden.] Thomas Schweikle (Oct 09)