azraelsolution.de

• Next message: Sean.McHughepic.sungard.com: "[Snort-users] Traffic generators..."
• Previous message: Simon Attwell: "[Snort-users] Weird alerts - false positive ?"
• In reply to: Simon Attwell: "[Snort-users] Weird alerts - false positive ?"
• Next in thread: Simon Attwell: "Re: [Snort-users] Weird alerts - false positive ?"
• Next in thread: Robert E. Leever: "Re: [Snort-users] Weird alerts - false positive ?"
• Reply: Andreas Lindenblatt: "Re: [Snort-users] Weird alerts - false positive ?"
• Reply: Simon Attwell: "Re: [Snort-users] Weird alerts - false positive ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Simon,

> The alerts in most cases are sourced from my W2K host, and the destination
> is a nameserver on my network, 21 and 53 are nameservers, 6 is the W2K box.

IMHO this means that your x.x.x.53 tries to reach a port at your
W2K-host that it's not allowed not access. Does your host on .53 handle
mail? Most Mailers try to get information from the sender (auth, Port
113), which means your suspicious traffic should occur when you send or
recieve mail.

-- 
----
BYE Andreas
[Solution - The Computer People]
[http://www.solution.de]
[fax:+49-621-7140721]
[Mannheim/Germany]
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users

• Next message: Sean.McHughepic.sungard.com: "[Snort-users] Traffic generators..."
• Previous message: Simon Attwell: "[Snort-users] Weird alerts - false positive ?"
• In reply to: Simon Attwell: "[Snort-users] Weird alerts - false positive ?"
• Next in thread: Simon Attwell: "Re: [Snort-users] Weird alerts - false positive ?"
• Next in thread: Robert E. Leever: "Re: [Snort-users] Weird alerts - false positive ?"
• Reply: Andreas Lindenblatt: "Re: [Snort-users] Weird alerts - false positive ?"
• Reply: Simon Attwell: "Re: [Snort-users] Weird alerts - false positive ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]