LinuxSA Mailing list archives

  From: Daryl Tester <Daryl.Tester@iocane.com.au>
  To  : David Creed <dave.and.jen@internode.on.net>
  Date: Wed, 03 Dec 2003 20:15:17 +1030

Re: Unusual entry in Snort log

David Creed wrote:

> I installed snort a couple of weeks ago and came home today to find this
> log (attached below) with unusual entries.
> I don't like the sound of port scans coming FROM my machine, have I been
> "0wn3d"?
> Advise and opinions gratefully accepted.

Unfortunately, snort doesn't appear to have given any details of what ports
were being scanned, which would be helpful in determining whether snort has
just tripped on normal outbound connections (e.g. a bunch of connections to
a variety of web pages, which may show enough of a diverse range of hosts
for snort to trigger on), or whether there was something more sinister
happening.  Do you have any more detailed log files to go by?

Another thing - the source IP address appears private.  Are you NAT'ing?
Could snort be picking up outbound requests from a PC on your internal
network? (I get this from my wife's XP machine all the time).


-- 
Regards,
  Daryl Tester,  Software Wrangler and Bit Herder, IOCANE Pty. Ltd.

"Next time, let's screw it up my way first."  -- Jay D. Dyson

-- 
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.freenode.net
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject