Security Incidents mailing list archives

Snort blah11 signature

From: OCreger () HOLLAND-SYSTEMS COM (Owen Creger)
Date: Wed, 5 Jul 2000 08:43:56 -0400


My exchange server is setting off the blah11 trojan signature from
whitehats.com
1 source, 13 destinations...

IDS109/trojan-active-blah11
06/30-14:05:30.263961 172.16.1.17:1042 -> 172.16.4.235:1438
TCP TTL:126 TOS:0x0 ID:19422 DF
**S***A* Seq: 0x2C787B4F Ack: 0x2C31B Win: 0x2238
TCP Options => MSS: 1460
Is this normal traffic from exchange, or should I be concerned?
Anyone know what port 1042 is used for in Exchange?

Owen C. Creger
Senior Network Engineer
Holland Systems, Corp.
950 Victors Way Suite 100
Ann Arbor, MI 48108
phone: 734.663.3737 fax: 734.663.9500
beeper: 517.794.3056
ocreger () holland-systems com
www.holland-systems.com

Current thread:

Snort blah11 signature Owen Creger (Jul 05)
- Re: Snort blah11 signature Cedric Puddy (Jul 06)
- Re: Snort blah11 signature Phonix (Jul 06)