Date: Sun, 2 Jan 2000 20:37:33 -0600 (CST)
From: ids@honeynet.org
To: admin@honeynet.org
Subject: #### HONEYPOT HACKED!!! ####


You have received this message because someone is trying
to reach the Internet from one of the honeypots.  This most
likely means the system was compromised.  This is email alert
number 5, with a limit of 5 from victim3-int. 

        ----- CRITICAL INFORMATION -----

        Date:        2Jan2000
        Time:        20:37:31
        Source:      victim3-int
        Destination: rootkits.example.com
        Service:     ftp

        ----- ACTUAL FW-1 LOG ENTRY -----

2Jan2001 20:37:31 accept lisa-int   >qfe0 alert proto tcp src victim3-int 
dst rootkits.example.com service ftp s_port 32801 len 44 rule 17 xlatesrc 
victim3-ext xlatedst rootkits.example.com xlatesport 32801 xlatedport ftp 

        --- WARNING ---
        Intruder victim3-int has been blocked at the Firewall for the next 
        36000 seconds (10 hours).

        To enable victim3-int, type the following command on the Firewall
        /opt/CPfw1-41/bin/fw sam -t 36000 -C -i src victim3-int

This is alert number 5, you have reached your
maximum threshold. You will not receive anymore alerts.