To All:
I'm trying to understand how to use SNORT to determine
whether a spammer is using my machine or not. I have
many documentations, but still not understanding what
am I looking for.
PROBLEM
- When I send emails (using POP3/SMTP w/ thunderbird),
once in a while a message returns.
- In my bulk folder, when I log on via the web, I notice
alot of returned emails, i.e., a spammer is spamming
everywhere and the bounced emails are showing up in my
"suspected spam" folder (so the emails never make it
down to my desktop - but that's good).
STRATEGY
I'm trying to figure out if
- my desktop machine is infested (probably not)
- the window server (external of the desktops), that also
has a firewall, is infested
- a spammer is just using my address in the "reply to"
part of the spamming emails.
QUESTION
I'm using SNORT (
http://www.snort.org) to figure out whether
my desktop is being abused. The trouble is I don't know
exactly what I'm looking for. Perhap I'm not understanding
the basic philosophy of SNORT.
I've tried snort -v and get alot of data on the screen.
For example, one set of data looks like
05/16-10:12:25.315820 199.107.65.177:80 -> 192.168.1.101:1648
TCP TTL:43 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x4578D44F Ack: 0x72FD8295 Win: 0x2180 TcpLen: 32
TCP Options (3) => NOP NOP TS: 3996598544 922509
Exactly what am I looking for? I prefer not to output tons of
stuffs, but enough to determine if someone else is abusing this
desktop. Fyi, I'm the only one, supposed to be on, using Xandros
2.0 (debian-based) and this old Dell Dimension l933r. And I'm
using DSL Yahoo! and a sbcglobal.net account.
Thanks in advance for any help.
Sheng-Chieh
-----
p.s. In case, if anybody else wants, the SNORT docs are at
http://www.snort.org/docs/
http://neworder.box.sk/newsread.php?newsid=7646
http://www.dpo.uab.edu/~andrewb/snor...doc/snort.html
http://www.jpsdomain.org/infosec/snort.html
http://www.ntsug.org/docs.html
http://www.inmon.com/tutorials/ids.php