Snort mailing list archives
RE: ATTACK-RESPONSES id check returned root
From: Our World Is Here <info () lucretia ca>
Date: Mon, 24 Oct 2005 17:33:56 -0600
I see this so often I've revised this sid (498 I think) to ignore anything coming via POP port 110. If I see it on 25 I get worried... Cheers, James Friesen, CIO Lucretia Enterprises "Our World Is Here..." Info at lucretia dot ca http://lucretia.ca
-----Original Message----- From: cc [mailto:cc () belfordhk com] Sent: Saturday, October 22, 2005 12:17 AM To: Chris Romano Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] ATTACK-RESPONSES id check returned root Chris Romano sighed and wrote::I came in this moring and checked my snort alerts (morningroutine),and noticed the following: ATTACK-RESPONSES id check returned root 2005-10-21 07:40:32 82.165.25.125:80<http://82.165.25.125:80> 10.10.10.5:51949 <http://10.10.10.5:51949> TCPThis is very interesting. Snort tagged your message with the same exact alert, but this time it was through port 25 (SMTP). At first, I freaked when I saw that on BASE. Then I checked the payload and got worried. However, looking at the port, and noticing it was 25, and finding it in my email, I sighed a relief. :) Edmund ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ATTACK-RESPONSES id check returned root Chris Romano (Oct 21)
- Re: ATTACK-RESPONSES id check returned root Matt Kettler (Oct 21)
- Re: ATTACK-RESPONSES id check returned root Matt Kettler (Oct 21)
- Re: ATTACK-RESPONSES id check returned root Patrick Walsh (Oct 21)
- Re: ATTACK-RESPONSES id check returned root Chris Romano (Oct 21)
- Re: ATTACK-RESPONSES id check returned root cc (Oct 21)
- RE: ATTACK-RESPONSES id check returned root Our World Is Here (Oct 24)
- RE: ATTACK-RESPONSES id check returned root Paul Schmehl (Oct 25)
- RE: ATTACK-RESPONSES id check returned root Our World Is Here (Oct 26)
- RE: ATTACK-RESPONSES id check returned root Our World Is Here (Oct 24)
- <Possible follow-ups>
- RE: ATTACK-RESPONSES id check returned root Willy, Andrew (Oct 21)