Snort mailing list archives

Re: snoop output contradicts with snort database

From: John Sage <jsage () finchhaven com>
Date: Sat, 9 Feb 2002 16:19:25 -0800

On Sat, Feb 09, 2002 at 04:04:46PM -0700, Phil Wood wrote:

On Sat, Feb 09, 2002 at 02:14:43PM -0800, Gongya Yu wrote:

Hi, all:

I have a win2k box compromised. After I boot up that box, I use snoop to find that it sends

lots of packets to remote machines on port 80 from random local ports. I set up a snort box to plugin to oracle

database. When I query tcphdr table, I found tcp_sport contains port 80, while tcp_dport contains random ports.

<snip>

Have you had a drink yet?


I don't think he gets one; maybe he has to buy two for everyone else on the list..


- John

-- 
Most people don't type their own logfiles;  but, what do I care?

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

OT Humor: Snort-Users Drinking Game Erek Adams (Feb 07)
- Re: OT Humor: Snort-Users Drinking Game Davitt J. Potter (Feb 07)
- Re: OT Humor: Snort-Users Drinking Game Bradley Alexander (Feb 08)
  - Re: OT Humor: Snort-Users Drinking Game John Sage (Feb 09)
    - Re: OT Humor: Snort-Users Drinking Game Andreas Östling (Feb 09)
    - snoop output contradicts with snort database Gongya Yu (Feb 09)
    - Re: snoop output contradicts with snort database Phil Wood (Feb 09)
    - Re: snoop output contradicts with snort database John Sage (Feb 09)
    - RE: snoop output contradicts with snort database Jeff Jennings (Feb 09)