On Tuesday 27 March 2001 21:06, Togan Muftuoglu wrote:
snort-lin defining the HOME_NET 192.168.1.0/24 and EXTERNAL_NET as 212.xxx.xxx.0/22 as outlined with the ifconfig eberything else is left as is. Help is appreciated
Mar 27 18:11:49 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61018 -> 195.44.254.18:80
Check the destination IP's If these are websites that you or your users are visiting, or maybe some banner ad servers than this is a false alarm and looks like it might be such an attack. If you do not visit the servers, than a script might be running on your machine trying to attack another server. If you are not running that script, who is? So I'd say, it is not an attack against your machine, but either a.) A false alarm of snort b.) You have _ALREADY BEEN HACKED_ and a script of some sort is running on your machine attacking others. BB, Arjen