Security Incident Reporting --------------------------- This documents the steps that should be done when reporting security problems to the originator and public security organizations (CERT/SANS). No attack is the same. Below are instructions for a generic attack, but there may be attacks that do not fall into any category. For these, the sysadmin should use his own judgement and apply whatever steps necessary. For example, email virus attacks may require looking at email headers to determine the originator, rather than syslogs. In some cases, the attacks may come from your own users. These are usually reported to us by other sysadmins. This document is NOT for those cases. Such cases need to be handled very differently. Overview of Steps: 1. Analyze logs to determine if this is in fact an attack and whether it it is worth reporting. The goal is to stop malicious users as soon as possible. One failed connection to the IMAP (TCP/143) port should not be considered a threat. However, a scan of the entire network for an open port 143 should definitely be considered an attack. Likewise, portscans of one machine are usually signs of an upcoming attack, and should be reported. 2. Isolate logs so there is no extra information other than that related to the attack. 3. Determine email address(s) where to send a complaint to. This should mainly include the administrators of the domain that the attack originated from. 4. Gather information about IP/attacker if possible. 5. Send a polite message requesting them to immediately stop this activity. 6. 'Sanitize' the logs and send to SANS/CERT. Sanitizing means to remove any reference to our organization (our IPs, mydomain.bogus, etc). Use the incident reporting form for the layout of the message. 7. Store security incident information and any email correspondence locally for future reference. -------- The following is an example which documents every step in a theoretical attack. 0. The Attack First, the sysadmin receives the following logs generated by Snort on the firewall: --- BEGIN EMAIL --- From root@fileserv.mydomain.bogus Fri Dec 8 13:11:18 2000 Date: Sun, 3 Dec 2000 17:00:05 -0500 From: root To: auto_scripts@mydomain.bogus Subject: fileserv 12/03/00:17.00 system check Unusual System Events =-=-=-=-=-=-=-=-=-=-= Dec 3 16:18:48 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.2:2140 Dec 3 16:18:53 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.64:2140 Dec 3 16:18:53 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.65:2140 Dec 3 16:18:53 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.66:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.67:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.68:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.69:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.70:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.71:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.72:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.73:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.74:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.75:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.76:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.77:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.78:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.79:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.80:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.81:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.82:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.83:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.84:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.85:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.86:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.87:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.88:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.89:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.90:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.91:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.92:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.93:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.94:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.95:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.96:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.97:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.98:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.99:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.100:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.101:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.102:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.103:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.104:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.105:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.106:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.107:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.108:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.109:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.110:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.111:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.112:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.113:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.114:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.115:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.116:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.117:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.118:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.119:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.120:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.121:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.122:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.123:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.124:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.125:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.126:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.127:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.128:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.129:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.130:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.131:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.132:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.133:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.134:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.135:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.136:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.137:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.138:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.139:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.140:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.141:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.142:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.143:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.144:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.145:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.146:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.147:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.148:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.149:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.150:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.151:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.152:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.153:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.154:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.155:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.156:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.157:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.158:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.159:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.160:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.161:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.162:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.163:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.164:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.165:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.166:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.167:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.168:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.169:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.170:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.171:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.172:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.173:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.174:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.175:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.176:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.177:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.178:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.179:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.180:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.181:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.182:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.183:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.184:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.185:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.186:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.187:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.188:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.189:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.190:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.191:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.192:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.193:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.194:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.195:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.196:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.197:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.198:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.199:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.200:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.201:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.202:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.203:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.204:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.205:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.206:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.207:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.208:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.209:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.210:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.211:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.212:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.213:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.214:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.215:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.216:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.217:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.218:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.219:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.220:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.221:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.222:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.223:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.224:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.225:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.226:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.227:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.228:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.229:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.230:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.231:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.232:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.233:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.234:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.235:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.236:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.237:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.238:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.239:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.240:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.241:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.242:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.243:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.244:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.245:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.246:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.247:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.248:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.249:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.250:2140 Dec 3 16:19:09 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.251:2140 Dec 3 16:19:09 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.252:2140 Dec 3 16:19:09 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.253:2140 Dec 3 16:19:09 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.254:2140 Dec 3 16:19:09 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.255:2140 Dec 3 16:20:10 mail.mydomain.bogus scanmails[4508]: FOUND VIRUS IN MAIL from MAILER-DAEMON@mail.mydomain.bogus to bogususer --- END EMAIL --- 1. Analysis Snort is an IDS (Intrusion Detection System) that looks for attack signatures in every packet. The above demonstrates an attack defined by the 'IDS106' rule. Sometimes Snort alerts are harmless, so it is up to the sysadmin to determine whether this is a threat or not. It is very important to have an up to date Snort rules file to be aware of the latest signatures. See www.snort.org for more information. This example deals with Snort alerts, but many other types of connections may be considered attacks. For example, 50 NOQUEUE connections logged by sendmail is something to definitely look into. The sysadmin just needs to look for these tell-tale signs and must know how the services work and log problems. The above logs clearly show a scan of our entire network 1.2.3.1 -> 1.2.3.255 for some sort of backdoor. Note the gap from .3 to .63. This may be an external network, whose packets do not pass through the firewall, which is running Snort. Therefore it is not logged. However, by looking at the rest, it's clear they scanned everything. Another thing to note in this example is the last log of the 'virus'. This demonstrates unrelated information in the logs. However, even such seemingly unrelated information may in fact be related. For example, if the sendmail logs on mail.mydomain.bogus show that the virus message came from 208.138.219.12, then this is more interesting. In that case, the logs show what the user did before he attempted to send a virus. Such information is very valuable, as they might indicate a tool's signature being used by the attacker. Unfortunately, time and analysis is required by the sysadmin in order to correlate such logs. In our case we will assume it is NOT related. There is not much more analysis that can be done on these logs, and we determine this is definitely an attempted attack on our network. Proceed to the next step. 2. Isolate logs Store the above logs in a text file. This should only include the relevant lines. We will call the resulting file incident.txt. It is very important to remove any other unrelated information from the logs. We do not want to send such information in our report. It may even lead to more attacks! The resulting file should look like: --- BEGIN incident.txt --- Dec 3 16:18:48 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.2:2140 Dec 3 16:18:53 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.64:2140 Dec 3 16:18:53 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.65:2140 Dec 3 16:18:53 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.66:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.67:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.68:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.69:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.70:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.71:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.72:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.73:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.74:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.75:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.76:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.77:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.78:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.79:2140 Dec 3 16:18:54 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.80:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.81:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.82:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.83:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.84:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.85:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.86:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.87:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.88:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.89:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.90:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.91:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.92:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.93:2140 Dec 3 16:18:55 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.94:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.95:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.96:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.97:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.98:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.99:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.100:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.101:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.102:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.103:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.104:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.105:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.106:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.107:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.108:2140 Dec 3 16:18:56 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.109:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.110:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.111:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.112:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.113:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.114:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.115:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.116:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.117:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.118:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.119:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.120:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.121:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.122:2140 Dec 3 16:18:57 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.123:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.124:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.125:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.126:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.127:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.128:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.129:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.130:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.131:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.132:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.133:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.134:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.135:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.136:2140 Dec 3 16:18:58 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.137:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.138:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.139:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.140:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.141:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.142:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.143:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.144:2140 Dec 3 16:18:59 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.145:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.146:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.147:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.148:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.149:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.150:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.151:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.152:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.153:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.154:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.155:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.156:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.157:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.158:2140 Dec 3 16:19:00 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.159:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.160:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.161:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.162:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.163:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.164:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.165:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.166:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.167:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.168:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.169:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.170:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.171:2140 Dec 3 16:19:01 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.172:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.173:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.174:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.175:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.176:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.177:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.178:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.179:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.180:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.181:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.182:2140 Dec 3 16:19:02 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.183:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.184:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.185:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.186:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.187:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.188:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.189:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.190:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.191:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.192:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.193:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.194:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.195:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.196:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.197:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.198:2140 Dec 3 16:19:03 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.199:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.200:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.201:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.202:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.203:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.204:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.205:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.206:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.207:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.208:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.209:2140 Dec 3 16:19:04 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.210:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.211:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.212:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.213:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.214:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.215:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.216:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.217:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.218:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.219:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.220:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.221:2140 Dec 3 16:19:05 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.222:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.223:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.224:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.225:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.226:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.227:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.228:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.229:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.230:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.231:2140 Dec 3 16:19:06 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.232:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.233:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.234:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.235:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.236:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.237:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.238:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.239:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.240:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.241:2140 Dec 3 16:19:07 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.242:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.243:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.244:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.245:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.246:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.247:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.248:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.249:2140 Dec 3 16:19:08 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.250:2140 Dec 3 16:19:09 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.251:2140 Dec 3 16:19:09 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.252:2140 Dec 3 16:19:09 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.253:2140 Dec 3 16:19:09 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.254:2140 Dec 3 16:19:09 fwml-off.mydomain.bogus snort[31292]: IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network: 208.138.219.12:60000 -> 1.2.3.255:2140 --- END incident.txt --- 3. Determine originator. The next step includes determining where this originated from. We have the IP, which we use to get more information. First try nslookup on the attacker IP: nslookup 208.138.219.12 Name: ppp-208-138-219-12.coqui.net Address: 208.138.219.12 This resolves, and we should send our complaints to the admins of coqui.net. Do a whois lookup for coqui.net. On a Linux machine: whois coqui.net [whois.internic.net] Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: COQUI.NET Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: www.networksolutions.com Name Server: NAMESERVER.COQUI.COM Name Server: NAMESERVER.COQUI.NET Updated Date: 09-sep-2000 This tells us that the domain is registered by networksolutions.com. We then do: whois coqui.net@whois.networksolutions.com [whois.networksolutions.com] Registrant: Datacom Caribe, Inc. (COQUI2-DOM) 965 Americo Miranda Ave. San Juan, PR 00921 US Domain Name: COQUI.NET Administrative Contact, Technical Contact, Billing Contact: Gonzalez, Guillermo (GG1167) domains@COQUI.NET Datacom Caribe, Inc. 965 Americo Miranda Ave. San Juan, PR 00921 US (787)753-1771 (787)753-1764 ... In this case, our contact persion should be domains@COQUI.NET. Note there are also many web-based WHOIS servers. One very good one that makes this information very easy to lookup across multiple registrars is: http://www.allwhois.com In many cases the IPs will not resolve. What should be done instead is a whois lookup on ARIN. On a Linux machine we can do the following: whois 208.138.219.12@whois.arin.net [whois.arin.net] Cable & Wireless USA (NETBLK-CW-10BLK) CW-10BLK 208.128.0.0 - 208.175.255.255 DATACOM CARIBE, INC. (NETBLK-CW-208-138-216) CW-208-138-216 208.138.216.0 - 208.138.223.255 To single out one record, look it up with "!xxx", where xxx is the handle, shown in parenthesis following the name, which comes first. We are returned 2 records, but the 2nd one includes the IP we want. Single out the record with: whois \!NETBLK-CW-208-138-216@whois.arin.net [whois.arin.net] DATACOM CARIBE, INC. (NETBLK-CW-208-138-216) 965 AMERICO MIRANDA AVE. SAN JUAN, 00921 PR Netname: CW-208-138-216 Netblock: 208.138.216.0 - 208.138.223.255 Maintainer: DCI Coordinator: Gonzalez, Guillermo (GG1167-ARIN) gg@COQUI.NET (787)753-1771 (FAX) (787)753-1764 Note the escaping (\!) of the exclamation point. Also notice we are given a different email address than the above lookup. Any of them will do, but it does not hurt to send the complaint to both. If you are not able to get the domain information by any of the above methods, you can use 'dig' to find out who is the authoritative nameserver for that in-addr.arpa domain. This is usually the domain hosting the system. So if 208.138.219.12 did not resolve, we'd try: dig -x 208.138.219 which gives us something like: ... ;; ANSWER SECTION: 219.138.208.in-addr.arpa. 1H IN NS nameserver.coqui.net. 219.138.208.in-addr.arpa. 1H IN NS nameserver.coqui.com. ... If nothing still, then try removing the last octet (dig -x 208.138), etc. If you are still not able to find the domain, the last resort is doing a traceroute to the IP. On a machine on the outside, issue a traceroute and take the last resolvable address on the route. Assume this is the domain the attack came from. Back to our example, at this point, we have 2 addresses where we should send a complaint to: gg@COQUI.NET domains@COQUI.NET For safety, we should also include the following: root@COQUI.NET postmaster@COQUI.NET webmaster@COQUI.NET abuse@COQUI.NET Normally we would also want to send a message directly to the machine that made the attack. However, in this case the address ppp-208-138-219-12.coqui.net appears to be dynamic so it won't make much sense to send mail to there. In many cases the IP does not appear to be dynamic. For example, say the attack was from reality.cse.fau.edu. Then you should CC your complaint directly to the machine operators as well: root@reality.cse.fau.edu postmaster@reality.cse.fau.edu webmaster@reality.cse.fau.edu abuse@reality.cse.fau.edu Note you should NOT use IP addresses after @. So for IPs that do not resolve this should not be done. Note that you may get bounce back messages that the user does not exist. This is fine and can be ignored, however at least one email should succeed. If not, more research needs to be done to find out who to send to. Other possible means of finding contacts include going to the website for the domain (if it resolves). Usually there is an abuse policy and/or email addresses on their website. 4. Gather information on attacker Gathering info on the IP usually requires action by the sysadmin very close to the time the event happened. For example, in this case of a dynamic IP, it does not make sense to gather information on the IP 5 days later, which is definitely a different user. If you believe the IP is not dynamic, or you are close to the time frame of the attack, include the output of the following commands in your report, using the proper address/IP: finger @ppp-208-138-219-12.coqui.net [ppp-208-138-219-12.coqui.net] finger: connect: Connection refused telnet ppp-208-138-219-12.coqui.net Trying 208.138.219.12... telnet: Unable to connect to remote host: Connection refused telnet ppp-208-138-219-12.coqui.net 22 Trying 208.138.219.12... telnet: Unable to connect to remote host: Connection refused telnet ppp-208-138-219-12.coqui.net 25 Trying 208.138.219.12... telnet: Unable to connect to remote host: Connection refused telnet ppp-208-138-219-12.coqui.net 139 Trying 208.138.219.12... telnet: Unable to connect to remote host: Connection refused NOTE: If 139 answers, you should then use smbclient (from any Redhat box) as follows: smbclient -N -L ppp-208-138-219-12.coqui.net If you are lucky you will get alot of information from this. When including this output be sure to remove any of the 'added interface' lines. telnet ppp-208-138-219-12.coqui.net 6000 Trying 208.138.219.12... telnet: Unable to connect to remote host: Connection refused telnet ppp-208-138-219-12.coqui.net 6001 Trying 208.138.219.12... telnet: Unable to connect to remote host: Connection refused A successful connection to one of these ports may tell you a little about the host OS. For example, many attackers use Redhat and leave telnetd enabled. In the case above, we weren't able to find any info. You should not do a full portscan of their machine, as this may look like retaliation. Note that if finger returned a userlist, and the list is small (1 or 2 users), also include in your CC list the username@address where address is the address of the attacker (not IP). X losers -------- If 6000 or 6001 respond, the user may be running X. If we're lucky, he is running without access control. We can attempt to get a dump of his screen with the command: xwd -display 208.138.219.12:0 -out screenshot.xwd -root Xlib: connection to "208.138.219.12:0.0" refused by server Xlib: Client is not authorized to connect to Server xwd: unable to open display '208.138.219.12:0' The above was for port 6000. If 6001 was open, use IP:1 instead. As can be seen above, we could not get a screendump. If it did succeed, you can view this screenshot with the command: xwud -in screenshot.xwd Note these screenshots should not be included in any incident reports. If you are able to get one, store it in the directory structure described in step #7. This method is used only to get more information about the attacker. 5. Send message reporting incident to admins and/or attacker The message sent to the addresses should be short and to the point, including the logs from steps 2, 3, and 4. You should include the 'whois' procedure in your message so it shows how you determined where to send the message. Do not boast or make threats, as this will most likely lead to more powerful attacks on the systems. Many times you will never get a reply. However, it is very important to at least report the problem and hope they will take care of it. The following is a message sent in our example: --- BEGIN MESSAGE --- From valankar@mydomain.bogus Fri Oct 20 14:42:03 2000 Date: Fri, 20 Oct 2000 14:40:49 -0400 (EDT) From: Viraj Alankar To: gg@COQUI.NET Cc: domains@COQUI.NET, root@COQUI.NET, postmaster@COQUI.NET, webmaster@COQUI.NET Subject: Possible attack from your system System Administrators, We noticed what is most likely an attempted attack on our computers which has been logged from the address ppp-208-138-219-12.coqui.net (208.138.219.12). We ask that you please look into this matter as soon as possible. Attached below is our logs which show evidence of TCP port 2140 connections being made to almost every one of our IPs. This port is well known as a DeepThroat backdoor. The date and times of the requests are listed below. Please let us know how we can be of further assistance tracking this down. We consider this a very serious threat to our company systems. Thank you for your cooperation in this matter. (note that all hostnames listed below are all in the mydomain.bogus domain, and all times are Eastern US time - GMT -0500) Viraj. > Insert incident.txt generated from step #2 here in the body of the message, > NOT as an attachment Name: ppp-208-138-219-12.coqui.net Address: 208.138.219.12 whois coqui.net@whois.networksolutions.com [whois.networksolutions.com] Registrant: Datacom Caribe, Inc. (COQUI2-DOM) 965 Americo Miranda Ave. San Juan, PR 00921 US Domain Name: COQUI.NET Administrative Contact, Technical Contact, Billing Contact: Gonzalez, Guillermo (GG1167) domains@COQUI.NET Datacom Caribe, Inc. 965 Americo Miranda Ave. San Juan, PR 00921 US (787)753-1771 (787)753-1764 whois \!NETBLK-CW-208-138-216@whois.arin.net [whois.arin.net] DATACOM CARIBE, INC. (NETBLK-CW-208-138-216) 965 AMERICO MIRANDA AVE. SAN JUAN, 00921 PR Netname: CW-208-138-216 Netblock: 208.138.216.0 - 208.138.223.255 Maintainer: DCI Coordinator: Gonzalez, Guillermo (GG1167-ARIN) gg@COQUI.NET (787)753-1771 (FAX) (787)753-1764 > Insert all information you were able to obtain on the IP from the above > steps here. --- END MESSAGE --- Make sure to include the timezone of the logs as above. Also include any office contact information. This is very important. Note that I did not include logs from step #4 because I believe it is a dynamic IP and no information was gathered anyhow. 6. Sanitize logs and send to CERT/SANS The incident should be reported to CERT unsanitized. They do not publish incidents. For reporting to CERT, create a message similar to the following: --- BEGIN MESSAGE --- Submit this form to: cert@cert.org If you are unable to send email, fax this form to: +1 412 268 6989 Your contact information name ...........: Viraj Alankar email address...: valankar@mydomain.bogus telephone number: +1 123 456 7890 other...........: Affected Machine(s) (duplicate for each host) hostname and IP.: 1.2.3.2, 1.2.3.64 through 1.2.3.255 timezone........: Eastern US Time - GMT-0500 Source(s) of the Attack (duplicate for each host) hostname or IP..: ppp-208-138-219-12.coqui.net 208.138.219.12 timezone........: unknown been in contact?: yes, correspondence attached below. Description of the incident DeepThroat backdoor attempt to all affected machines. > Include the full message from step 5 here. Make sure to include all of > the message headers as well (who it was sent to, time, etc) --- END MESSAGE --- Store this in a file incident_report.txt. It should be sent to cert@cert.org with subject: Incident Report - DOMAIN Where DOMAIN would be coqui.net from our example. Next copy this file to sans.txt, and replace all instances of anything related to your company with bogus information. For example, in vi: :%s/mydomain.bogus/mydomain.com/g :%s/our.ip.blocks./1.2.3./g And any other things that would give away too much information. Also be sure to remove any signature with your contact information. Add to the top of this message: NOTE: All references to our own IP addresses below have their first 3 octets replaced with 1.2.3 and all references to our domain name have been replaced with mydomain.com. This new message should be sent to intrusion@sans.org with same subject as the CERT message. SANS posts incidents on their website so we must sanitize the information. 7. Store information locally A directory structure should be made similar to security/outsiders/DOMAIN_NAME/DATE In our example: security/outsiders/coqui.net/12-08-2000/ email.txt - All email correspondence with admins of domain or attacker. New messages should be APPENDED to this file. This includes the original email sent out. incident_report.txt - Incident email sent to cert@cert.org sans.txt - Sanitized incident email sent to intrusion@sans.org Note the DATE should be the date you report the incident, not the attack date.