l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2002 Jul 12 14:14

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] IDS alert
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] IDS alert



greetings from  adsl-209-233-98-66.dsl.scrm01.pacbell.net. I have a 
static IP from pacbell DSL and that is the name that pacbell has 
attached to it.
The scrm referres to sacramento. The other choices are snfc (san 
francisco), lsan (los angeles), sndg (san diego).


msimons@moria.simons-clan.com wrote:

>On Thu, Jul 11, 2002 at 06:20:30PM -0700, Nick Donnelly wrote:
>  
>
>>Pete said I might try forwarding this along--does anyone else's 
>>pacbell dsl identify itself like Pete's does (i.e. 
>>*.dsl.scrm01.pacbell.net)?  Anyone have a guess as to why only Pete's 
>>setup sets off snort?
>>    
>>
>[...]
>  
>
>>>Also,I guess I am wondering why only your pacbell DSL addy has 
>>>".scr" in it--don't a lot of other people on the list use the same 
>>>service?
>>>      
>>>
>
>  
>
>>>alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; 
>>>content: ".scr"; nocase; sid:729;  classtype:misc-activity; rev:3;)
>>>      
>>>
>
>  I don't know anything about snort, but this appears to be looking for
>any packet to port 110 (pop3) with the letters '.scr' in it.  This type
>of rule is way too broad to be useful... any email with those letters
>in it should trigger the problem.
>
>  Every other pacbell DSL person I know appears to have the same 
>naming of their hosts with .scr as part of the name.  I suspect you 
>only see that problem from Pete's because he is doing mail from that 
>his DSL machine directly.
>
>  Without knowing anything else about it, my first impression is 
>that particular snort rule is useless and should simply be removed 
>from your ruleset.
>
>    TTFN,
>      Mike
>
>ps: I'm interested in what other people think.
>_______________________________________________
>vox-tech mailing list
>vox-tech@lists.lugod.org
>http://lists.lugod.org/mailman/listinfo/vox-tech
>  
>



_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.