[Intrusions] Interesting development using tcpdump in conjunctionwith SQUID filtering and thiis hostname - bubba.scps.k12.fl.us
James C Slora Jr
Jim.Slora at phra.com
Tue Jan 25 23:02:48 GMT 2005
David McCall wrote Tuesday, January 25, 2005 11:47 AM
> The IP for bubba doesn't appear in the untrusted list and after each new
> IP the appears in the SQUID list something gets sent to bubba,........
Have you looked through the SQUID logs for the seemingly legitimate queries
that bubba is making, corresponding with the new DoS bots and the tcpdump
records? Is it just asking for the same page over and over? Is it trying to
do something naughty that did not trigger any previous alarms?
Florida k12 schools do have overworked security people who go around taking
care of problems, and have some experience with botnets etc. A phone call to
them might get your problem to the top of their list if there is a strong
correlation with the drones or if the k12 host is trying something obviously
wrong.
More information about the Intrusions
mailing list