I am getting the message below from Astaro 7.002
I cannot detect the trojan on the PC in question so I think / hope its a false alarm. However of more immediate importance is that the "packet dropped" section says that the packet has not been dropped. Yet my IDS settings are set to drop anything that I consider even close to being relavent. Specifically malware and DOS which seem the most relavent...
Anyone have any ideas?
Sean
Intrusion Protection Alert
An intrusion has been detected. The packet has *not* been dropped.
If you want to block packets like this one in the future, set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.
Details about the intrusion alert:
Message........: BACKDOOR superspy 2.0 beta runtime detection - file management
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=8477
Time...........: 2007:04:12-17:04:07
Packet dropped.: no
Priority.......: 1 (high)
Classification.: A Network Trojan was detected IP protocol....: 6 (TCP)
Source IP address: 192.168.38.19
- http://www.dnsstuff.com/tools/ptr.ch?ip=192.168.38.19
- http://www.ripe.net/perl/whois?query=192.168.38.19
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=192.168.38.19
- http://cgi.apnic.net/apnic-bin/whois.pl?search=192.168.38.19
Source port: 4317
Destination IP address: 213.244.170.73
- http://www.dnsstuff.com/tools/ptr.ch?ip=213.244.170.73
- http://www.ripe.net/perl/whois?query=213.244.170.73
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=213.244.170.73
- http://cgi.apnic.net/apnic-bin/whois.pl?search=213.244.170.73
Destination port: 12340
This thread was automatically locked due to age.
