[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: Re: [Bleeding-sigs] Storm Sigs
From: Russell Fulton <r.fulton () auckland ! ac ! nz>
Date: 2007-09-05 5:51:37
Message-ID: 46DE43E9.2030602 () auckland ! ac ! nz
[Download RAW message or body]
OK, I've persuaded placid to show me the full alerts -- there is clearly
a bug in placid...
Matt Jonkman wrote:
> Since they're IP matches snort won't be putting the payload into the
> alerts. Is that what's throwing you off?
>
There is actually payload there!
> What they'll be hitting on likely is the spam inbound to you from
> infected hosts, or http probes, vuln scans, whatever the storm herders
> are using the bots for this week. It varies a good deal.
>
yep, that's it. 99% of the hits are inbound to our SMTP hosts.
Ah! I should have checked the rules more closely. They use HOME_NET
which I set to any since I am as (more ?) interested in out going
attacks as I am in incoming. Screws stuff like this though.
Hmmmm... can oinkmaster go global changes on a file?
Russell
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic