RE: No clue?

[John Friedman <jfriedmanx () yahoo com>]

Hi all,
 
Since I did not get any reply on this, is there any way to suppress or pass this alert?
 
Thanks,
 
John

John Friedman <jfriedmanx () yahoo com> wrote:
Thanks for your pointing out.  Here is the info again:
 

 [input]   ID  < Signature >  < Timestamp >  < Source Address >  < Dest. Address >  < Layer 4 Proto >     [input]      
[input]     #0-(2-4681)       [snort] spp_portscan: End of portscan from 10.1.10.6: TOTAL time(212s) hosts(6) TCP(22) 
UDP(0)       2005-11-11 11:39:27       10.1.10.6       unknown       IP        [input]      [input]     #1-(2-4680)     
  [snort] spp_portscan from 10.1.10.6: 1 connections across 1 hosts: TCP(1), UDP(0)       2005-11-11 11:39:23       
10.1.10.6       unknown       IP        [input]      [input]     #2-(2-4679)       [snort] spp_portscan from 10.1.10.6: 
1 connections across 1 hosts: TCP(1), UDP(0)       2005-11-11 11:39:20       10.1.10.6       unknown       IP        
[input]      [input]     #3-(2-4678)       [snort] spp_portscan from 10.1.10.6: 2 connections across 2 hosts: TCP(2), 
UDP(0)       2005-11-11 11:39:13       10.1.10.6       unknown       IP        [input]      [input]     #4-(2-4677)     
  [snort] spp_portscan from 10.1.10.6: 5
 connections across 2 hosts: TCP(5), UDP(0)       2005-11-11 11:38:58       10.1.10.6       unknown       IP    
Our World Is Here <info () lucretia ca> wrote:
Um, this looks like useless info. Could you try cleaning it up and remove
the urls? I doubt I'll be able to view these alerts directly from your base
server unless you give me a real world IP.


J.
j e r u v y a t s h a w d o t c a



> -----Original Message-----
> From: John Friedman [mailto:jfriedmanx () yahoo com]
> Sent: Friday, November 11, 2005 8:07 AM
> To: snort
> Subject: [Snort-users] No clue?
>
> Hi all,
>
> I consistenly get these alerts from the Citrix server:
>
> ID <
> um_result_rows=15¤t_view=0&sort_order=sig_a> Signature > >
um_result_rows=15¤t_view=0&sort_order=sig_d> < >
um_result_rows=15¤t_view=0&sort_order=time_a> Timestamp > >
um_result_rows=15¤t_view=0&sort_order=time_d> < >
um_result_rows=15¤t_view=0&sort_order=sip_a> Source > Address >
> um_result_rows=15¤t_view=0&sort_order=sip_d> < >
um_result_rows=15¤t_view=0&sort_order=dip_a> Dest. > Address >
> um_result_rows=15¤t_view=0&sort_order=dip_d> < >
um_result_rows=15¤t_view=0&sort_order=proto_a> Laye r 4 > Proto >
> um_result_rows=15¤t_view=0&sort_order=proto_d>
> #0-(2-4654)
> -4654%29&sort_order=> [snort >
]
> spp_portscan: End of portscan from 10.1.10.6
> etmask=32> : TOTAL time(17s) hosts(2) TCP(5) UDP(0) >
2005-11-11 09:59:09 10.1.10.6
> etmask=32> unknown > 
IP
> #1-(2-4653)
> -4653%29&sort_order=> [snort >
] spp_portscan
> from 10.1.10.6
> etmask=32> : 5 connections across 2 hosts: TCP(5), UDP(0) >
2005-11-11 09:58:20 10.1.10.6
> etmask=32> unknown > 
IP
> no clue what it does mean? the destination IP is unknown and
> can anyone help me out?
>
>
>
> Thanks,
>
>
>
> John
>
> ________________________________
>
> Yahoo! FareChase - Search multiple travel sites in one click.
> X3MDOTY2ODgxNjkEcG9zAzEEc2VjA21haWwtZm9vdGVyBHNsawNmYw--/SIG=>
110oav78o/**http%3a//farechase.yahoo.com/>
>



__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection arou nd 
http://mail.yahoo.com 

                
---------------------------------
 Yahoo! FareChase - Search multiple travel sites in one click.  
                
---------------------------------
 Yahoo! FareChase - Search multiple travel sites in one click.