Snort mailing list archives

RE: (no subject)

From: "John Stroud" <bear () amberorder com>
Date: Fri, 31 May 2002 12:59:40 -0700

I forgot to copy the list on my reply, but then I made a typo on it, so
here we go again, corrected....

I interpreted the transactions listed as:
Webserver:80 -> Browser:3372    (Reply)

So I assume somewhere in the packets stream is a:
Browser:3372 -> Webserver:80    (original request)

If this assumption is correct, it could be a false positive.

I see false positives a lot when I'm reading about IDS and virus
signatures and the actual content delivered contains the signature, and
a port of 80.  

Notice in the alert the internal address listed as the destination
appears to be receiving a reply from a server from which a request was
made?  The source, not the destination, is on port 80.

J.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Hugo Ferr
Sent: Friday, May 31, 2002 10:55 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] (no subject)

Snort LAN sensor
Here is the line from acid :
Source
destination
      DOS MSDTC attempt         207.35.159.36:80        10.0.0.249:3372
TCP


How is this possible? 10.0.0.249 is a proxy machine taht doesn't have
public
ip. How somebody can connect to non-routable ip from the outside world?
Or should I interpret this line as something else?

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Tracking #: 90DF56322D156443A1B23C8D2A518FF929784DB6


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject), (continued)
- (no subject) C Boss (Apr 25)
  - Re: (no subject) Ralf Hildebrandt (Apr 25)
- (no subject) Zero Dark (May 04)
  - Re: (no subject) Matt Kettler (May 04)
- (no subject) Vadim Pushkin (May 07)
- (no subject) Z . Qili (May 07)
- (no subject) John Maestrale (May 20)
- (no subject) John Maestrale (May 29)
- (no subject) Hugo Ferr (May 31)
  - Re: (no subject) Rich Adamson (May 31)
  - RE: (no subject) John Stroud (May 31)
- RE: (no subject) Wirth, Jeff (May 31)
  - Re: (no subject) Hugo Ferr (May 31)
- (no subject) Eduard San Anselmo (Jun 04)
- RE: (no subject) McCammon, Keith (Jun 04)
- FW: (no subject) ChandlerH (Jun 04)
- RE: (no subject) Richard Silver (Jun 04)
- (no subject) john (Jun 11)
- (no subject) Richard Houston (Jun 12)
  - Re: (no subject) Erek Adams (Jun 12)