[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Active Snort Log Analyser

Speaking of snort - I just installed it and I can't quite figure out the
reports it sends, it seems to think that I am being attacked quite
frequently, when I recognize some of those addresses as being valid
addresses which connect to my box. What is up with that?



The log begins from: Nov 07 00:05:03
The log ends at:     Nov 07 23:59:55


The number of attack from same host to same destination using same method
=========================================================================
   attacks                    to               from
=========================================================================
  31 Source Port traffic      216.162.197.233  ns1.hisite.com
  25 Source Port traffic      216.162.197.233  mtl.bb4.com
  21 SMB Name Wildcard        216.162.197.233  cs310-42.spmodem.washingto
  14 Source Port traffic      216.162.197.233  ns.CNRI.Reston.VA.US   
   6 Source Port traffic      216.162.197.233  ns-102.iap.bryant.webtv.ne   
   5 Source Port traffic      216.162.197.233  ns-101.iap.bryant.webtv.ne
   5 Source Port traffic      216.162.197.233  m0002.ip3000.com
   4 Source Port traffic      216.162.197.233  resolver1.Seattle1.Level3.
   4 Source Port traffic      216.162.197.233  ns1.uswest.net
   3 Source Port traffic      216.162.197.233  NYU.EDU
   3 Source Port traffic      216.162.197.233  com1.runshaw.ac.uk
   3 Source Port traffic      216.162.197.233  ns2.net.ohio-state.edu
   3 SMB Name Wildcard        216.162.197.233  12.0.40.191
   3 Source Port traffic      216.162.197.233  uswest-dsl-136-186.cortlan
   3 Source Port traffic      216.162.197.233  ns2.spl.org
   3 SMB Name Wildcard        216.162.197.233  ganges1.responsys.com
   2 Source Port traffic      216.162.197.233  lists.tao.ca
   2 Source Port traffic      216.162.197.233  dname1.wolfe.net
   2 Source Port traffic      216.162.197.233  macaws95.metawire.com
   2 Source Port traffic      216.162.197.233  si4001.inktomi.com
   2 Source Port traffic      216.162.197.233  bsg-ma-cache2.icg.net
   
On Wed, 08 Nov 2000, Helmut Springer wrote:

> On Tue 2000-11-07 (15:49), Jean-François JOLY wrote:
> > Those FireWalls *are* secure today but as I managed many FireWalls
> > and don't have time to upgrade them to the latest software more
> > than once a year, I'm quite afraid of new holes being found in
> bad.  a not administrated firewall becomes insecure, there is no way
> to deal with this than administrating it.
> 
> > Tonight, snort reported me someone from malaysia portscanned my
> > subnet and then tried to exploit a bug in ProFTPD. Happily, the
> most attacks against the different ftpds I see are direct hit
> attemps, the attacker does not portscan, he just attacks whole
> subnets if kind of 'brute forcing'.
> 
> -- 
> MfG/best regards, helmut springer
>                                             delta@FaVeVe.Uni-Stuttgart.DE
> 	
>                                         Life is a bitch and then you die.
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: