Snort mailing list archives

Re: False alarm due to wrong byteordering


From: Ralf Hildebrandt <Ralf.Hildebrandt () innominate com>
Date: Thu, 26 Jul 2001 16:14:30 +0200

On Tue, Jul 17, 2001 at 04:02:13PM +0200, Ralf Hildebrandt wrote:
Today I got this in the log:

Jul 17 08:11:00 stahlw06 snort: MISC loopback traffic [Classification: Potentially Bad Traffic   Priority: 2]: 
127.75.134.169:0 -> 71.92.134.169:0

which is wrong. It should have been:
134.169.127.75:0 -> 134.169.71.92:0 
instead. I assume, there's some error in the byteorder for network
addresses under HP-UX 10.20...

I've got more details about this byte-ordering problem:
Jul 26 07:54:25 stahlw06 snort: [103:2:1] Incomplete Packet Fragments Discarded {UDP} 134.169.64.93:0 -> 134.169.26.6:0
Jul 26 07:54:25 stahlw06 snort: [103:2:1] Incomplete Packet Fragments Discarded {UDP} 134.169.64.93:0 -> 134.169.26.6:0
Jul 26 08:02:34 stahlw06 snort: [103:2:1] Incomplete Packet Fragments Discarded {UDP} 134.169.26.6:0 -> 134.169.26.38:0
Jul 26 08:02:34 stahlw06 snort: [103:2:1] Incomplete Packet Fragments Discarded {UDP} 134.169.26.6:0 -> 134.169.26.38:0

These are perfectly OK, correct order and all.

Jul 26 08:28:32 stahlw06 snort: [103:2:1] Incomplete Packet Fragments Discarded {IP} 220.225.134.169 -> 71.89.134.169

Just this one's badly ordered!

All with today's CVS snapshot.
-- 
ralf.hildebrandt () innominate com                            innominate AG
Technical Consultant                   Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX                        fax: +49.(0)30.308806-77


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: