Hi all, These are entries from my Snort IDS logs and my firewall logs for the IP address reported by Snort. It looks like an attempt to get into our Outlook Web Access server. If it was a hack how could I tell if it was successful or not? I did a google on it and did not come up with much
[**] [1:882:1] WEB-CGI calendar access [**] [Classification: Attempted Information Leak] [Priority: 3] 01/08-12:54:08.793287 12.224.241.144:1136 -> 63.xxx.xxx.xxx:80 TCP TTL:51 TOS:0x0 ID:2276 IpLen:20 DgmLen:730 DF ***AP*** Seq: 0xF608349 Ack: 0xFC8B5BF0 Win: 0x8ECD TcpLen: 20 [**] [1:882:1] WEB-CGI calendar access [**] [Classification: Attempted Information Leak] [Priority: 3] 01/08-18:53:45.398355 12.224.241.144:1568 -> 63.xxx.xxx.xxx:80 TCP TTL:51 TOS:0x0 ID:5645 IpLen:20 DgmLen:818 DF ***AP*** Seq: 0x5C2AE779 Ack: 0x36609C29 Win: 0x8ECF TcpLen: 20 Jan 09 21:53:31.093 xxxxxxxxx httpd[339]: 121 Statistics: duration=4.23 id=51ZeM sent=544 rcvd=707 srcif=Vpn4 src=12.224.241.144/3172 cldst=63.xxx.xxx.xxx/80 svsrc=192.xxx.xxx.xxx dstif=Vpn3 dst=192.xxx.xxx.xxx/80 op=GET arg=http://www.venocoinc.com/exchange/forms/IPM/NOTE/frmRoot.asp?index=0&obj =000000005DDB3712FA5CD411A7EF00A0C9E0A0180700085F598189CED211A7BD00A0C9E0A01 8000000AC4A6B00006AC011B1CB7FD411BC78001083FC58260000006245B20000&command=op en result="302 Object moved" proto=http rule=6 Thanks for the help Trevor Maingot * 805-745-2121 * 805-455-9660 * 805-745-1926 * [EMAIL PROTECTED]
