[Intrusions] 80 to 3669
Gary Hendricks
intrusions at project415.org
Thu Jun 24 08:17:32 GMT 2004
Just when you thought the going was good.
I added a rule to capture the traffic. I noticed that it contained 'network
unreachable' and such.
This was most likely due to the firewall rejecting/dropping the packets.
I turned those ports on so they would not get rejected, so I could let snort
do its business.
However, the minute I turned it on, I could not see any of the events. I
thought the rule was not working and disabled the ports again. However, not
a single attempt was logged after that! This is murphy's law at work. *sigh*
Thanks for all the efforts and suggestions.
-Gary
----- Original Message -----
From: "Tom Glaab" <tglaab at clutter.com>
To: "Intrusions List (GCIA Practicals)" <intrusions at lists.sans.org>
Sent: Wednesday, June 23, 2004 3:36 PM
Subject: Re: [Intrusions] 80 to 3669
> I looked and ehsbrann.com appears to be a banner ad provider. My guess
> is this is one of those deals that tries to insert ad banners by jumping
> into an established connection (not hijacking, just trying to appear as
> the primary site that called for the ads).
>
> This used to be fairly common, but got fixed, I thought.
>
> tg.
>
> Butterworth, Jim wrote:
>
> >Is the payload HTML, or is there evidence that someone is tunneling
through port 80 with another tool/app? Is the dst always the same machine
on your network?
> >
> >R/Jim.
> >GCIA
> >
> >
> >
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list