Ubuntu 10.4 + psad 2.1.5 环境
执行 $ sudo psad -S 结果异常 :
......
- Top 50 signature matches:
"BACKDOOR win-trin00 connection attempt" (udp), Count: 3, Unique sources: 1, Sid: 1853
......
SRC: 8.8.8.8, DL: 4, Dsts: 1, Pkts: 3620, Unique sigs: 1, Email alerts: 454
DST: 192.168.XX.XX, Local IP
Scanned ports: UDP 32781-60933, Pkts: 3620, Chain: INPUT, Intf: eth1
Signature match: "BACKDOOR win-trin00 connection attempt"
UDP, Chain: INPUT, Count: 3, DP: 35555, Sid: 1853
......
==========
......
- Top 50 signature matches:
"RPC portmap listing UDP 32771" (udp), Count: 3, Unique sources: 1, Sid: 1281
......
SRC: 8.8.8.8, DL: 5, Dsts: 1, Pkts: 36045, Unique sigs: 1, Email alerts: 2887
DST: 192.168.XX.X, Local IP
Scanned ports: UDP 32771-61000, Pkts: 36045, Chain: INPUT, Intf: eth1
Signature match: "RPC portmap listing UDP 32771"
UDP, Chain: INPUT, Count: 3, DP: 32771, Sid: 1281
......
==========
难到 GOOGLE 的 DNS 8.8.8.8 有问题 ? 还是有假冒的(中间人攻击)? 继續关注。