Re: Active Snort Log Analyser
Speaking of snort - I just installed it and I can't quite figure out the
reports it sends, it seems to think that I am being attacked quite
frequently, when I recognize some of those addresses as being valid
addresses which connect to my box. What is up with that?
The log begins from: Nov 07 00:05:03
The log ends at: Nov 07 23:59:55
The number of attack from same host to same destination using same method
=========================================================================
attacks to from
=========================================================================
31 Source Port traffic 216.162.197.233 ns1.hisite.com
25 Source Port traffic 216.162.197.233 mtl.bb4.com
21 SMB Name Wildcard 216.162.197.233 cs310-42.spmodem.washingto
14 Source Port traffic 216.162.197.233 ns.CNRI.Reston.VA.US
6 Source Port traffic 216.162.197.233 ns-102.iap.bryant.webtv.ne
5 Source Port traffic 216.162.197.233 ns-101.iap.bryant.webtv.ne
5 Source Port traffic 216.162.197.233 m0002.ip3000.com
4 Source Port traffic 216.162.197.233 resolver1.Seattle1.Level3.
4 Source Port traffic 216.162.197.233 ns1.uswest.net
3 Source Port traffic 216.162.197.233 NYU.EDU
3 Source Port traffic 216.162.197.233 com1.runshaw.ac.uk
3 Source Port traffic 216.162.197.233 ns2.net.ohio-state.edu
3 SMB Name Wildcard 216.162.197.233 12.0.40.191
3 Source Port traffic 216.162.197.233 uswest-dsl-136-186.cortlan
3 Source Port traffic 216.162.197.233 ns2.spl.org
3 SMB Name Wildcard 216.162.197.233 ganges1.responsys.com
2 Source Port traffic 216.162.197.233 lists.tao.ca
2 Source Port traffic 216.162.197.233 dname1.wolfe.net
2 Source Port traffic 216.162.197.233 macaws95.metawire.com
2 Source Port traffic 216.162.197.233 si4001.inktomi.com
2 Source Port traffic 216.162.197.233 bsg-ma-cache2.icg.net
On Wed, 08 Nov 2000, Helmut Springer wrote:
> On Tue 2000-11-07 (15:49), Jean-François JOLY wrote:
> > Those FireWalls *are* secure today but as I managed many FireWalls
> > and don't have time to upgrade them to the latest software more
> > than once a year, I'm quite afraid of new holes being found in
> bad. a not administrated firewall becomes insecure, there is no way
> to deal with this than administrating it.
>
> > Tonight, snort reported me someone from malaysia portscanned my
> > subnet and then tried to exploit a bug in ProFTPD. Happily, the
> most attacks against the different ftpds I see are direct hit
> attemps, the attacker does not portscan, he just attacks whole
> subnets if kind of 'brute forcing'.
>
> --
> MfG/best regards, helmut springer
> delta@FaVeVe.Uni-Stuttgart.DE
>
> Life is a bitch and then you die.
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: