Snort mailing list archives
Re: All alerts have src/dest as 0.0.0.0
From: Erek Adams <erek () theadamsfamily net>
Date: Sat, 30 Nov 2002 11:11:16 -0800 (PST)
On Sat, 30 Nov 2002, Jason Algol wrote:
hello, ive upgraded to snort 1.9.0 and now i cant stop snort from setting the src/dst in all alerts to 0.0.0.0, making them pretty useless. $ snort -V Initializing Output Plugins! -*> Snort! <*- Version 1.9.0 (Build 209) By Martin Roesch (roesch () sourcefire com, www.snort.org examples: snort: [1:449:4] ICMP Time-To-Live Exceeded in Transit [Classification: Misc activity] [Priority: 3]: {ICMP} 0.0.0.0 -> 0.0.0.0 snort: [1:527:3] BAD TRAFFIC same SRC/DST [Classificati on: Potentially Bad Traffic] [Priority: 2]: {TCP} 0.0.0.0:1298 -> 0.0.0.0:80 what could be causing this?
Do you have a pcap of this? If you do, it would be _very_ helpful to determine the cause of this. Can you duplicate the issue with Tcpdump or any other pcap based sniffer? What type of linux? Which version and distro? Are you using a RPM version of libpcap? If so, remove it and update to the latest one from Tcpdump.org. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- All alerts have src/dest as 0.0.0.0 Jason Algol (Nov 30)
- Re: All alerts have src/dest as 0.0.0.0 Erek Adams (Nov 30)
- Re: All alerts have src/dest as 0.0.0.0 twig les (Nov 30)