Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Alert question???

From: quentyn () fotango com
Date: Tue, 13 Aug 2002 17:23:33 +0100
Know How wrote:


Hello,
   I was going through snort logs and i see lot of "PRON virgin" alerts.
Source (NN.NN.NN.NN) is the ip address of a hosted web server at our site.
Destination is comming from different location as shown below.

#764-(5-7743)        PORN virgin        2002-08-13 10:39:09
NN.NN.NN.NN:80        66.56.130.252:4920        TCP

We are seeing lot of "PRON Virgin" alerts shown for all ip address (source)
where we have hosted website. We have couple of website hosted and we are
getting above alerts for all of them. Is this a attack??? Please let me
know.




err maybe you have some "kick ass porn" ( to quote snort) being hosted
at that site... have you reviewed the sites and campared them to the
snort rule that is being triggered ?

you need to tell us the IP of NN.NN.NN.NN so that others on the list can
<ahem> review it ?


-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
`The purpose of a windowing system is to put some amusing fluff around
your one almighty
emacs window.' 
   Mark on gnu.emacs.help


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: