Snort alert need some help to interpret the data correct



  • I have this alert in snort and i'm not sure if there is an infected computer on our network or a malicious site was visited. Could someone help me interpret the data correct. Thanx in advance!

    188.203.188.129 is our wan adres

    12/04-06:00:45 2 TCP Potentially Bad Traffic 188.203.188.129 6384 208.88.225.149 Delete 80 1:2014543:1 [click to add to suppress list] ET CURRENT_EVENTS TDS Sutra - request in.cgi
    12/04-06:00:45 1 TCP A Network Trojan was Detected 208.88.225.149 Delete 80 188.203.188.129 33983 1:2014611:1 [click to add to suppress list] ET CURRENT_EVENTS TDS Sutra - cookie set RULEZ
    12/04-06:00:45 2 TCP Potentially Bad Traffic 208.88.225.149 Delete 80 188.203.188.129 33983 1:2014546:4 [click to add to suppress list] ET CURRENT_EVENTS TDS Sutra - HTTP header redirecting to a SutraTDS
    12/04-06:00:45 2 TCP Potentially Bad Traffic 208.88.225.149 Delete 80 188.203.188.129 33983 1:2014545:2 [click to add to suppress list] ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS
    12/04-06:00:45 2 TCP Potentially Bad Traffic 188.203.188.129 33983 208.88.225.149 Delete 80 1:2014543:1 [click to add to suppress list] ET CURRENT_EVENTS TDS Sutra - request in.cgi



  • it could be that someone in your network have visited a malicious website and thats why it's reporting the IP address on port 80 (HTTP) ..
    Are you the webhost or the user?



  • Its a normal home metwork at my parents house
    So some one probably visited a Shady website?
    I just wanted to make shure thats its not a pc that is Infected with malware.
    My dad is really gifted in getting malware/ virusses on his pc.

    Thanx again


Locked