Snort mailing list archives

Re: Same src/dst

From: twig les <twigles () yahoo com>
Date: Mon, 31 Mar 2003 10:10:18 -0800 (PST)

Did you start snort with the -o option?

--- "Brei, Matt" <mbrei () medclaiminc com> wrote:

     I have been seeing a lot of these "same SRC/DST" alerts
even after adding two local rules to pass them.  I think these
alerts are due to the fact that there is a DNS server running
on this machine and it is using itself for its name
resolution.
  
   #3-(4-1434)    
   BAD TRAFFIC same SRC/DST    
   2003-03-30 18:49:29    
   10.13.110.254:1026    
   10.13.110.254:53    
   UDP    

   #4-(4-1435)    
   BAD TRAFFIC same SRC/DST    
   2003-03-30 18:49:29    
   10.13.110.254:53    
   10.13.110.254:1026    
   UDP    

The two local rules are as follows:

  pass ip 10.13.110.254 53 -> 10.13.110.254 1026 (msg:"BAD
TRAFFIC same SRC/DST"; sameip; reference:cve,CVE-1999-0016;
reference:url,www.cert.org/advisories/CA-1997-28.html;
classtype:bad-unknown; sid:527; rev:3;)

pass ip 10.13.110.254 1026 -> 10.13.110.254 53 (msg:"BAD
TRAFFIC same SRC/DST"; sameip; reference:cve,CVE-1999-0016;
reference:url,www.cert.org/advisories/CA-1997-28.html;
classtype:bad-unknown; sid:527; rev:3;)

These alerts are filling the database rather quickly.  Please
help.  I have searched the mailing list archives as well as
Usenet with no helpful results.

Matt


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Same src/dst Brei, Matt (Mar 30)
- Re: Same src/dst David Alonso De La Vega Tapage (Mar 31)
- Re: Same src/dst twig les (Mar 31)