Snort mailing list archives
RE: (no subject)
From: "John Stroud" <bear () amberorder com>
Date: Fri, 31 May 2002 12:59:40 -0700
I forgot to copy the list on my reply, but then I made a typo on it, so here we go again, corrected.... I interpreted the transactions listed as: Webserver:80 -> Browser:3372 (Reply) So I assume somewhere in the packets stream is a: Browser:3372 -> Webserver:80 (original request) If this assumption is correct, it could be a false positive. I see false positives a lot when I'm reading about IDS and virus signatures and the actual content delivered contains the signature, and a port of 80. Notice in the alert the internal address listed as the destination appears to be receiving a reply from a server from which a request was made? The source, not the destination, is on port 80. J. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Hugo Ferr Sent: Friday, May 31, 2002 10:55 AM To: snort-users () lists sourceforge net Subject: [Snort-users] (no subject) Snort LAN sensor Here is the line from acid : Source destination DOS MSDTC attempt 207.35.159.36:80 10.0.0.249:3372 TCP How is this possible? 10.0.0.249 is a proxy machine taht doesn't have public ip. How somebody can connect to non-routable ip from the outside world? Or should I interpret this line as something else? _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Tracking #: 90DF56322D156443A1B23C8D2A518FF929784DB6 _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject), (continued)
- (no subject) C Boss (Apr 25)
- Re: (no subject) Ralf Hildebrandt (Apr 25)
- (no subject) Zero Dark (May 04)
- Re: (no subject) Matt Kettler (May 04)
- (no subject) Vadim Pushkin (May 07)
- (no subject) Z . Qili (May 07)
- (no subject) John Maestrale (May 20)
- (no subject) John Maestrale (May 29)
- (no subject) Hugo Ferr (May 31)
- Re: (no subject) Rich Adamson (May 31)
- RE: (no subject) John Stroud (May 31)
- RE: (no subject) Wirth, Jeff (May 31)
- Re: (no subject) Hugo Ferr (May 31)
- (no subject) Eduard San Anselmo (Jun 04)
- RE: (no subject) McCammon, Keith (Jun 04)
- FW: (no subject) ChandlerH (Jun 04)
- RE: (no subject) Richard Silver (Jun 04)
- (no subject) john (Jun 11)
- (no subject) Richard Houston (Jun 12)
- Re: (no subject) Erek Adams (Jun 12)
- (no subject) C Boss (Apr 25)