ATTACK-RESPONSES id check returned userid

["Charles Douvier" <charles () knightsecurity ws>]

Has anyone ever had a lot of "ATTACK-RESPONSES id check returned userid"
events? Sometimes I get 0 for a day sometimes it's 400 in a couple hours. I
don't know why I get so many but it seems like every so often when someone
hits up AOLwebmail (I know.. *shudder*) or just from general surfing
occasionally. It'll come from an internal computer on <insert port here> to
a <insert server here> port 80.. it looks all legitimate but I couldn't find
on google or searching the archives with anyone that this happens to.

We run a masquerade rh7.3 machine for our firewall and zone alarm on all the
machines which are mostly Windows XP Workstations.. the Redhat 7.3 machine
runs snort w/ ACID, some webmail, two eggdrops and some stats stuff..I don't
know what could be causing it. I really doubt I have had an intrusion of any
kind, I have gone over just about everything in that machine...

Anyone have any ideas/similar problems?

Also, we are making an admin-notify script for snort using mysql.. its a
basic script that just uses qmail to send an email when there are more than
<X> # of events. We are using it to txt message a cell phone. Its nothing
special but if you want it email me directly - should be done Monday..

Thank you,

Charles



-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users