[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Active Snort Log Analyser

Speaking of snort - I just installed it and I can't quite figure out the
reports it sends, it seems to think that I am being attacked quite
frequently, when I recognize some of those addresses as being valid
addresses which connect to my box. What is up with that?

The log begins from: Nov 07 00:05:03
The log ends at:     Nov 07 23:59:55

The number of attack from same host to same destination using same method
   attacks                    to               from
  31 Source Port traffic  ns1.hisite.com
  25 Source Port traffic  mtl.bb4.com
  21 SMB Name Wildcard  cs310-42.spmodem.washingto
  14 Source Port traffic  ns.CNRI.Reston.VA.US   
   6 Source Port traffic  ns-102.iap.bryant.webtv.ne   
   5 Source Port traffic  ns-101.iap.bryant.webtv.ne
   5 Source Port traffic  m0002.ip3000.com
   4 Source Port traffic  resolver1.Seattle1.Level3.
   4 Source Port traffic  ns1.uswest.net
   3 Source Port traffic  NYU.EDU
   3 Source Port traffic  com1.runshaw.ac.uk
   3 Source Port traffic  ns2.net.ohio-state.edu
   3 SMB Name Wildcard
   3 Source Port traffic  uswest-dsl-136-186.cortlan
   3 Source Port traffic  ns2.spl.org
   3 SMB Name Wildcard  ganges1.responsys.com
   2 Source Port traffic  lists.tao.ca
   2 Source Port traffic  dname1.wolfe.net
   2 Source Port traffic  macaws95.metawire.com
   2 Source Port traffic  si4001.inktomi.com
   2 Source Port traffic  bsg-ma-cache2.icg.net
On Wed, 08 Nov 2000, Helmut Springer wrote:

> On Tue 2000-11-07 (15:49), Jean-François JOLY wrote:
> > Those FireWalls *are* secure today but as I managed many FireWalls
> > and don't have time to upgrade them to the latest software more
> > than once a year, I'm quite afraid of new holes being found in
> bad.  a not administrated firewall becomes insecure, there is no way
> to deal with this than administrating it.
> > Tonight, snort reported me someone from malaysia portscanned my
> > subnet and then tried to exploit a bug in ProFTPD. Happily, the
> most attacks against the different ftpds I see are direct hit
> attemps, the attacker does not portscan, he just attacks whole
> subnets if kind of 'brute forcing'.
> -- 
> MfG/best regards, helmut springer
>                                             delta@FaVeVe.Uni-Stuttgart.DE
>                                         Life is a bitch and then you die.
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: