Snort mailing list archives
ATTACK-RESPONSES id check returned userid
From: "Charles Douvier" <charles () knightsecurity ws>
Date: Fri, 6 Jun 2003 08:34:34 -0600
Has anyone ever had a lot of "ATTACK-RESPONSES id check returned userid" events? Sometimes I get 0 for a day sometimes it's 400 in a couple hours. I don't know why I get so many but it seems like every so often when someone hits up AOLwebmail (I know.. *shudder*) or just from general surfing occasionally. It'll come from an internal computer on <insert port here> to a <insert server here> port 80.. it looks all legitimate but I couldn't find on google or searching the archives with anyone that this happens to. We run a masquerade rh7.3 machine for our firewall and zone alarm on all the machines which are mostly Windows XP Workstations.. the Redhat 7.3 machine runs snort w/ ACID, some webmail, two eggdrops and some stats stuff..I don't know what could be causing it. I really doubt I have had an intrusion of any kind, I have gone over just about everything in that machine... Anyone have any ideas/similar problems? Also, we are making an admin-notify script for snort using mysql.. its a basic script that just uses qmail to send an email when there are more than <X> # of events. We are using it to txt message a cell phone. Its nothing special but if you want it email me directly - should be done Monday.. Thank you, Charles ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ATTACK-RESPONSES id check returned userid Charles Douvier (Jun 06)
- Re: ATTACK-RESPONSES id check returned userid Edin Dizdarevic (Jun 06)
- <Possible follow-ups>
- ATTACK-RESPONSES id check returned userid Roelf Schreurs (Jun 17)
- RE: ATTACK-RESPONSES id check returned userid Hudak, Tyler (Jun 17)