Snort mailing list archives
How should alerts be interpreted? hacker's_machine -> victim's_machine?
From: "Palula Brasil" <palula () uol com br>
Date: Thu, 13 Apr 2006 15:12:23 -0300
Ok! Alerts are workin fine. But indeed there is another problem. Here is the problem: the alert file has these. [**] [122:7:0] (portscan) TCP Filtered Portsweep [**] 04/12-22:30:29.305031 x.x.x.x:port -> 38.119.49.39 PROTO255 TTL:0 TOS:0x0 ID:5901 IpLen:20 DgmLen:162 DF and... [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] 04/12-23:14:22.648030 x.x.x.x:port -> 66.165.172.181:80 TCP TTL:64 TOS:0x0 ID:30828 IpLen:20 DgmLen:1452 DF ***A**** Seq: 0x3B8C6DA9 Ack: 0x7AAF4300 Win: 0x5AC TcpLen: 32 TCP Options (3) => NOP NOP TS: 54649465 770359521 But the thing is that x.x.x.x:port is my machines IP and port. Looks like it's gone mad and is doing totally random port scans and http inspects on whatever machines. According to snort docs, the correct interpretation for these alerts is: hacker's machine -> victim's machines Has my machine gone mad and is making victims out of a sudden? Home network ( -h x.x.x.x/x) has been defined, by the way. Thanks! :-)
Current thread:
- How should alerts be interpreted? hacker's_machine -> victim's_machine? Palula Brasil (Apr 13)
- RE: How should alerts be interpreted? hacker's_machine -> victim's_machine? Patrick S. Harper (Apr 13)
- Re: How should alerts be interpreted? hacker's_machine -> victim's_machine? Joel Esler (Apr 13)
- Re: How should alerts be interpreted? hacker's_machine -> victim's_machine? Palula Brasil (Apr 13)
- Re: How should alerts be interpreted? hacker's_machine -> victim's_machine? Joel Esler (Apr 13)
- RE: How should alerts be interpreted? hacker's_machine -> victim's_machine? Patrick S. Harper (Apr 13)