[wplug] Need help with a snort alert. Did my box get hacked?
Chris Romano
romano.chris at gmail.com
Fri Oct 21 11:44:35 EDT 2005
On 10/21/05, Ken Rambler <ken at ramblernet.com> wrote:
>
> Chris,
> Are you using IPTABLES or SHOREWALL?
> Do you have a wireless router on your LAN, and if so are you using
> wireless encryption?
> Was this message from your firewall or a machine behind it?
> Which log contained the message?
> At first glance this looks like a 404 entry from your HTTP log.
>
The main firewall is an InstaGate firewall. It's basically, a box with
Pittbull Linux and you use a web interface to administor it. The
firewall/proxy box is using IPTABLES.
This is a LAN and we do not have any wireless APs.
The entry is from Snort IDS. Our snort box logs everthing into a MySQL
database and we just a Web GUI to view the data.
This is our setup
XXXXXXX - main Firewall (10.10.10.1 <http://10.10.10.1>)
|
| --- XXXX Snort Box
|
| --- XXXX two public boxes (web/email etc)
|
XXXXXXX - Firewall/Proxy (10.10.10.5 <http://10.10.10.5>)
|
XXXXXXX - 192.168.0.x network
Thanks,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wplug.org/pipermail/wplug/attachments/20051021/22c4c6f5/attachment.html
More information about the wplug
mailing list