What does this snort log look like to you?
Does this say what I think it does?
I'm going to be rebuilding this box when I get back from work today aren't I? The traffic from 192.168.1.44 is being picked up because it is connected to the same hub as the scanning computer. Code:
[**] [122:3:0] (portscan) TCP Portsweep [**] |
Do a thorough investigation before reinstalling anything for two reasons:
1. You don't want to end up reinstalling the same way as you first did, negating a refresh of the OS. You want to understand how your machine was compromised so that you learn from it and adapt your install so that it doesn't happen again. 2. You may not even need to reinstall if this is a false positive or something that can be mitigated/lessened via layered security. Looking at what you've posted, it appears IP 192.168.1.44 is scanning outbound and maybe attacking certain IPs utilizing port 6112. I'd look into the raw snort logs (the payload or packet trace) to see whether these are 'real' events to worry about. Assess the signature (or rule) to determine if the packet traces are actually matching the snort rule's signature string. |
Quote:
Quote:
|
All times are GMT -5. The time now is 04:46 AM. |