I could use some help here. I have emerged Snort on my system here (along with SnortSnarf) and have been watching the alerts. What is causing my concern it that my server is being reported as a source for serveral web based attack signatures to a host of unknown destinations. I have spent some time cleaning and rebuilding the server with no luck until I turned off Squid.
BTW, all clients behind the squid box were turned off to insure the server was the source. I am using the latest portage ebuild Squid-2.5.11 Stable with a clean build and I still get alerts from my box as source. Running 2.6.13-r5 kerel. I have tried Nessus to see if any un-authorized port was running (nothing other than standard ports) and ran McAfee linux virus scan (nothing there either). I did not see anything on the web that would explain an exploit such as a worm or trojan that is based on the current Squid build. Any advise on the next thing to look at? I am starting to wonder if its the squid ebuild. Thank you in advance, JohnF -- [email protected] mailing list
