Snort mailing list archives
Why logging the attacked one?
From: "Gabriel Moricz" <gabriel () autofax com br>
Date: Fri, 30 Jan 2004 09:09:38 -0200
Hello at all... First of all, thanks by not helped me in the answer that I had b4... But ok...I forgive u..hehe :-D Well..I will ask now... I am having a problem.. [**] MS-SQL Worm propagation attempt [**] 01/29-15:49:31.148746 64.63.254.192:0 -> 200.231.117.114:3128 TCP TTL:112 TOS:0x0 ID:676 IpLen:20 DgmLen:40 DF ******S* Seq: 0x3DE75 Ack: 0x0 Win: 0x200 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Looking at this alert my network is 200.231.117.114 and it logged creating a folder with this Ip and not with attacker ip.. How can I say to snort log and create the folder with the atacker ip name?? Thanks and I hope that some good heart help me this time... Gabriel Moricz
Current thread:
- Fw: Why logging the attacked one? Gabriel Moricz (Jan 30)
- <Possible follow-ups>
- Why logging the attacked one? Gabriel Moricz (Jan 30)
- RE: Why logging the attacked one? Erickson Brent W KPWA (Jan 30)
- Why logging the attacked one? Gabriel Moricz (Jan 31)