Gentoo Archives: gentoo-security

From: aa6qn@×××××××××××.net
To: gentoo-security@l.g.o
Subject: [gentoo-security] Snort alert with Squid ?
Date: Sun, 06 Nov 2005 16:06:58
Message-Id: 63729.192.168.1.2.1131293015.squirrel@192.168.1.12
1 I could use some help here. I have emerged Snort on my system here (along
2 with SnortSnarf) and have been watching the alerts. What is causing my
3 concern it that my server is being reported as a source for serveral web
4 based attack signatures to a host of unknown destinations. I have spent
5 some time cleaning and rebuilding the server with no luck until I turned
6 off Squid.
7
8 BTW, all clients behind the squid box were turned off to insure the server
9 was the source.
10
11 I am using the latest portage ebuild Squid-2.5.11 Stable with a clean
12 build and I still get alerts from my box as source. Running 2.6.13-r5
13 kerel. I have tried Nessus to see if any un-authorized port was running
14 (nothing other than standard ports) and ran McAfee linux virus scan
15 (nothing there either).
16
17 I did not see anything on the web that would explain an exploit such as a
18 worm or trojan that is based on the current Squid build.
19
20 Any advise on the next thing to look at? I am starting to wonder if its
21 the squid ebuild.
22
23 Thank you in advance,
24 JohnF
25
26 --
27 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Snort alert with Squid ? "Brian G. Peterson" <brian@×××××××××.com>