Am Sun, 05 Aug 2001 schrieb Sven Carstens <s.carstensat_private>: > Just sitting here and enjoying my new snort rules. > Then a packet that reports not the codered variant > but the plain old .ida access warning. > > The mandatory look into the payload reveals: > the next variant > > Only occurance twice from the same ip-adress to the same ip-adress. > The relatively quick check reveals a dial-up system that claims to use > an apache server and SuSE-Linux. > > Reported him to the provider and we'll see what happens Seems not the script kiddiez are playing after all! It's just snort getting tired and needing a rest ? The double check with the apache logfiles showed that on the exact time from the exact ip a regular user was just browsing the regular web pages. Will now treat myself (but not snort) with some sleep. CU Sven ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 14:23:41 PDT