Snort mailing list archives
Re: PLEASE CC ME
From: "Sean Lazar" <slazar () cruzio com>
Date: Sat, 8 Nov 2003 15:08:05 -0800
What port does your proxy run on? Is it 8080? The rule is: alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy \(8080\) attempt"; flags:S,12; classtype:attempted-recon; sid:620; rev:3;) http://www.snort.org/snort-db/sid.html?sid=620 This rule, if I am reading it right, will trigger on any connection to 8080 in your home net. This one gets alot of false positives probably because 8080 is a popular port. Nothing to worry about, just turn off the rule. Sean ----- Original Message ----- From: "Stephan Weaver" <stephanweaver () hotmail com> To: <snort-users () lists sourceforge net> Sent: Thursday, November 06, 2003 12:41 PM Subject: [Snort-users] PLEASE CC ME
Hello gooday list, I am not on the list so can you guys please CC me at stephanweaver () hotmail com Here goes.... I am having a problem i run snort of the same machine as my proxy server defined home net variable as 192.168.0.0/24. clients using the proxy server are logged in snort as follows... [**] [1:620:3] SCAN Proxy (8080) attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 11/06-16:40:07.970541 192.168.0.9:1117 -> 192.168.0.200:8080 TCP TTL:128 TOS:0x0 ID:41741 IpLen:20 DgmLen:48 DF ******S* Seq: 0x7C3CD1 Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK This is not supposed to be happening. Thanks in Advance Stephan Weaver _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PLEASE CC ME Stephan Weaver (Nov 07)
- Re: PLEASE CC ME Sean Lazar (Nov 08)
- Re: PLEASE CC ME Erek Adams (Nov 08)
- <Possible follow-ups>
- Re: PLEASE CC ME Leonard Miller (Nov 08)
- Re: PLEASE CC ME Sean Lazar (Nov 08)