Snort mailing list archives

Source IP/destination IP: how close is too close?

From: John Sage <jsage () finchhaven com>
Date: Thu, 17 Jan 2002 20:10:55 -0800

I just had to post this snort capture of a probe to tcp:12345 -- look atthe source IP address relative to my destination IP address as a dialupto access.att.net, out of AT&T's Seattle, WA pop...



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/17-18:47:48.819272 12.82.129.234:1182 -> 12.82.129.235:12345
TCP TTL:127 TOS:0x0 ID:18697 IpLen:20 DgmLen:48 DF
******S* Seq: 0x21DD8C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/17-18:47:51.809627 12.82.129.234:1182 -> 12.82.129.235:12345
TCP TTL:127 TOS:0x0 ID:19209 IpLen:20 DgmLen:48 DF
******S* Seq: 0x21DD8C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/17-18:47:57.800193 12.82.129.234:1182 -> 12.82.129.235:12345
TCP TTL:127 TOS:0x0 ID:19721 IpLen:20 DgmLen:48 DF
******S* Seq: 0x21DD8C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/17-18:48:09.811401 12.82.129.234:1182 -> 12.82.129.235:12345
TCP TTL:127 TOS:0x0 ID:20233 IpLen:20 DgmLen:48 DF
******S* Seq: 0x21DD8C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



I mean, this guy is right on top of me ;-)

Think I should go yell out the front door for him to knock it off?

This is some clown I see a lot of; he's always nearby, but he's neverbeen this "close".



- John

--
The web page you seek
cannot be found here:
countless others await


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Source IP/destination IP: how close is too close? John Sage (Jan 17)
- Re: Source IP/destination IP: how close is too close? Guillaume (Jan 18)