Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Question about rule 733

From: "Luke Randall" <ljr () myrealbox com>
Date: Tue, 10 Jun 2003 23:26:34 +1000
I have an alert logged from with the message: "Virus - Possible QAZ Worm
Calling Home" with a SID of 733.
I am new to snort and currently it is running on the internet gateway (which
runs NAT) for the local network. With this alert it says that the source
triggering this attack was actually an outside IP address (66.35.250.206),
whilst the destination recieving this attack was my external address (ie:
the one assigned to me by my ISP).
Does this mean that a computer on the local network is possibly infected
with this virus, and trying to call home to the outside IP address
(66.25.250.206) mentioned above? Or does it mean that the person at that IP
address potentially has that virus, and for some reason the virus tried to
send data to my local network?
I am concerned as if it is the former, then I need to investigate the
computers on my local network.

Any help would be much appreciated.

Luke




-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: