From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.50)
	id 1EYoJa-0000L8-2l
	for garchives@archives.gentoo.org; Sun, 06 Nov 2005 17:28:22 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jA6HPbNg016861;
	Sun, 6 Nov 2005 17:25:37 GMT
Received: from ethos.braverock.com (ethos.braverock.com [66.92.142.163] (may be forged))
	by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id jA6HLrE6001092
	for <gentoo-security@lists.gentoo.org>; Sun, 6 Nov 2005 17:21:53 GMT
Received: from [10.23.1.106] (dsl017-021-008.chi1.dsl.speakeasy.net [69.17.21.8])
	(authenticated bits=0)
	by ethos.braverock.com (8.13.3/8.13.1) with ESMTP id jA6HLpJb012994
	(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO)
	for <gentoo-security@lists.gentoo.org>; Sun, 6 Nov 2005 11:21:52 -0600
From: "Brian G. Peterson" <brian@braverock.com>
Organization: Braverock Ventures
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] Snort alert with Squid ?
Date: Sun, 6 Nov 2005 11:21:50 -0600
User-Agent: KMail/1.8.3
References: <63729.192.168.1.2.1131293015.squirrel@192.168.1.12>
In-Reply-To: <63729.192.168.1.2.1131293015.squirrel@192.168.1.12>
Precedence: bulk
List-Post: <mailto:gentoo-security@lists.gentoo.org>
List-Help: <mailto:gentoo-security+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Reply-to: gentoo-security@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200511061121.51020.brian@braverock.com>
X-Archives-Salt: 5f7a0bfa-709c-459c-b3fd-1d1a51c5b5e4
X-Archives-Hash: 8a6affac6dba4ccd7499c541c3daff32

On Sunday 06 November 2005 10:03 am, aa6qn@aa6qn.sytes.net wrote:
> I could use some help here. I have emerged Snort on my system here (along
> with SnortSnarf) and have been watching the alerts. What is causing my
> concern it that my server is being reported as a source for serveral web
> based attack signatures to a host of unknown destinations. I have spent
> some time cleaning and rebuilding the server with no luck until I turned
> off Squid.

Could you please paste in copies of the warnings/alerts;log entries you are 
seeing?  

Also, have you done a packet capture manually on that port to see what is 
going on?

It is about equally likely that snort is giving you a false positive as it is 
that anything is wrong with squid...

Regards,

  - Brian
-- 
gentoo-security@gentoo.org mailing list