Snort mailing list archives

Should I worry??

From: "Anthony Scott" <ascott () triadfoodsgroup com>
Date: Tue, 25 Jun 2002 11:41:36 -0500

Received this alert from Snort:
 
[**] [1:1227:2]  <http://hqbb/snort/sig/sigsid-1227.html> X11 outbound client connection detected [**]
[Classification: Misc activity] [Priority: 3]
06/24-10:37:44.575620  <http://hqbb/snort/192/168/1/src192.168.1.18.html> 192.168.1.18:  
<http://www.portsdb.org/bin/portsdb.cgi?portnumber=6000&protocol=TCP> 6000 ->  
<http://hqbb/snort/192/168/1/dest192.168.1.225.html> 192.168.1.225:  
<http://www.portsdb.org/bin/portsdb.cgi?portnumber=1984&protocol=TCP> 1984
TCP TTL:128 TOS:0x0 ID:12364 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x36B34774 Ack: 0x498A1D12 Win: 0x4470 TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS126]
 
.18 is an Exchange server. This is , of course, an internal IP address. However it does have a public IP address.
.225 is the Snort/Big Brother server. It only has the internal address.
Thanks
anthony  scott,
workstation administrator

Current thread:

Should I worry?? Anthony Scott (Jun 25)
- Re: Should I worry?? Chris Adams (Jun 25)