Snort mailing list archives
Question about rule 733
From: "Luke Randall" <ljr () myrealbox com>
Date: Tue, 10 Jun 2003 23:26:34 +1000
I have an alert logged from with the message: "Virus - Possible QAZ Worm Calling Home" with a SID of 733. I am new to snort and currently it is running on the internet gateway (which runs NAT) for the local network. With this alert it says that the source triggering this attack was actually an outside IP address (66.35.250.206), whilst the destination recieving this attack was my external address (ie: the one assigned to me by my ISP). Does this mean that a computer on the local network is possibly infected with this virus, and trying to call home to the outside IP address (66.25.250.206) mentioned above? Or does it mean that the person at that IP address potentially has that virus, and for some reason the virus tried to send data to my local network? I am concerned as if it is the former, then I need to investigate the computers on my local network. Any help would be much appreciated. Luke ------------------------------------------------------- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question about rule 733 Luke Randall (Jun 12)