Snort mailing list archives
Re: All alerts have src/dest as 0.0.0.0
From: twig les <twigles () yahoo com>
Date: Sat, 30 Nov 2002 11:30:36 -0800 (PST)
This probably isn't what is going on with you, but I got FLOODED with the 0.0.0.0:0->0.0.0.0:0 alerts a while back and after firing up tcpdump -X src 0.0.0.0 it told me in no uncertain terms that we were getting malformed packets from our firewall (I had to follow the MAC addresses, not fun). When I looked thru the logs, it turned out that our firewall vendor had upgraded their OS (or whatever they call that thing) right when the alerts started. --- Jason Algol <slashdotcommacolon () hotmail com> wrote:
hello, ive upgraded to snort 1.9.0 and now i cant stop snort from setting the src/dst in all alerts to 0.0.0.0, making them pretty useless. $ snort -V Initializing Output Plugins! -*> Snort! <*- Version 1.9.0 (Build 209) By Martin Roesch (roesch () sourcefire com, www.snort.org examples: snort: [1:449:4] ICMP Time-To-Live Exceeded in Transit [Classification: Misc activity] [Priority: 3]: {ICMP} 0.0.0.0 -> 0.0.0.0 snort: [1:527:3] BAD TRAFFIC same SRC/DST [Classificati on: Potentially Bad Traffic] [Priority: 2]: {TCP} 0.0.0.0:1298 -> 0.0.0.0:80 what could be causing this? Linux x86
_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- If you give a man a fish, he can eat for a day If you bludgeon him to death, you can eat the fish yourself ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- All alerts have src/dest as 0.0.0.0 Jason Algol (Nov 30)
- Re: All alerts have src/dest as 0.0.0.0 Erek Adams (Nov 30)
- Re: All alerts have src/dest as 0.0.0.0 twig les (Nov 30)