Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Same config, FreeBSD vs OpenBSD, WAY different results

From: Jim Brown <jpb () sixshooter v6 thrupoint net>
Date: Mon, 13 Oct 2003 21:12:33 -0400
* Jim Brown <jpb () sixshooter v6 thrupoint net> [2003-10-12 15:28]:

Hello list,


Re: Version 2.0.2 (Build 92)




Strangely, after a sniff fest with tcpdump, it looks like the
answer is that the OpenBSD box just gets hits from more systems.
Strange to me with what I know about virus propagation anyway.
(And yes, these are all [**] ICMP PING CyberKit 2.2 Windows [**] sigs.)

Here are tcpdumps from both systems produced with 
data captured by tcpdump -w ./out.sysname

Data was sorted with
tcpdump -n -r  ./out.sysname | grep \> | sort -k2 | grep icmp > ./out.sysname.srt

I sorted on source IP to allow me to find duplicates easier.

Thanks to all responders and many suggestions!

Best Regards,
jpb
===


FreeBSD
=======

20:07:24.698692 65.239.11.116 > a.b.c.103: icmp: echo request
19:56:59.706090 65.239.133.165 > a.b.c.101: icmp: echo request
19:56:59.745188 65.239.133.165 > a.b.c.103: icmp: echo request
20:09:43.691634 65.239.163.112 > a.b.c.101: icmp: echo request
20:09:43.721602 65.239.163.112 > a.b.c.103: icmp: echo request
19:59:52.644046 65.239.18.33 > a.b.c.101: icmp: echo request
19:59:52.653050 65.239.18.33 > a.b.c.103: icmp: echo request
20:07:43.805641 65.239.90.105 > a.b.c.101: icmp: echo request
20:07:43.850676 65.239.90.105 > a.b.c.103: icmp: echo request
20:05:28.085781 65.240.161.56 > a.b.c.101: icmp: echo request
20:05:28.109800 65.240.161.56 > a.b.c.103: icmp: echo request
20:08:26.513696 65.240.77.185 > a.b.c.101: icmp: echo request
20:08:26.528637 65.240.77.185 > a.b.c.103: icmp: echo request
19:57:32.517175 65.241.103.155 > a.b.c.101: icmp: echo request
19:57:32.547118 65.241.103.155 > a.b.c.103: icmp: echo request
20:10:12.221656 65.241.112.153 > a.b.c.101: icmp: echo request
20:10:12.251564 65.241.112.153 > a.b.c.103: icmp: echo request
20:08:52.253740 65.241.113.194 > a.b.c.101: icmp: echo request
20:08:52.268752 65.241.113.194 > a.b.c.103: icmp: echo request
19:56:59.706144 a.b.c.101 > 65.239.133.165: icmp: echo reply
20:09:43.691694 a.b.c.101 > 65.239.163.112: icmp: echo reply
19:59:52.644100 a.b.c.101 > 65.239.18.33: icmp: echo reply
20:07:43.805700 a.b.c.101 > 65.239.90.105: icmp: echo reply
20:05:28.085829 a.b.c.101 > 65.240.161.56: icmp: echo reply
20:08:26.513741 a.b.c.101 > 65.240.77.185: icmp: echo reply
19:57:32.517235 a.b.c.101 > 65.241.103.155: icmp: echo reply
20:10:12.221711 a.b.c.101 > 65.241.112.153: icmp: echo reply
20:08:52.253794 a.b.c.101 > 65.241.113.194: icmp: echo reply
20:09:26.282688 a.b.c.101 > 65.242.185.8: icmp: echo reply
20:00:38.892149 a.b.c.101 > 65.243.117.124: icmp: echo reply
19:58:25.497111 a.b.c.101 > 65.243.167.110: icmp: echo reply
20:07:11.822787 a.b.c.101 > 65.244.161.131: icmp: echo reply
20:01:19.218096 a.b.c.101 > 65.244.211.131: icmp: echo reply
19:57:43.869220 a.b.c.101 > 65.245.159.212: icmp: echo reply
19:58:41.727300 a.b.c.101 > 65.245.180.108: icmp: echo reply
20:01:33.309002 a.b.c.101 > 65.245.9.247: icmp: echo reply
20:08:59.210757 a.b.c.101 > 65.245.94.182: icmp: echo reply
20:09:26.282629 65.242.185.8 > a.b.c.101: icmp: echo request
20:09:26.309670 65.242.185.8 > a.b.c.103: icmp: echo request
20:00:38.892102 65.243.117.124 > a.b.c.101: icmp: echo request
20:00:38.904037 65.243.117.124 > a.b.c.103: icmp: echo request
19:58:25.497077 65.243.167.110 > a.b.c.101: icmp: echo request
19:58:25.506057 65.243.167.110 > a.b.c.103: icmp: echo request
20:07:11.822732 65.244.161.131 > a.b.c.101: icmp: echo request
20:07:11.867765 65.244.161.131 > a.b.c.103: icmp: echo request
20:01:19.218040 65.244.211.131 > a.b.c.101: icmp: echo request
20:01:19.257011 65.244.211.131 > a.b.c.103: icmp: echo request
19:59:27.468009 65.245.14.140 > a.b.c.103: icmp: echo request
19:57:43.869168 65.245.159.212 > a.b.c.101: icmp: echo request
19:57:43.917093 65.245.159.212 > a.b.c.103: icmp: echo request
19:58:41.727278 65.245.180.108 > a.b.c.101: icmp: echo request
19:58:41.727101 65.245.180.108 > a.b.c.103: icmp: echo request
20:01:33.308945 65.245.9.247 > a.b.c.101: icmp: echo request
20:08:59.210691 65.245.94.182 > a.b.c.101: icmp: echo request
20:08:59.240606 65.245.94.182 > a.b.c.103: icmp: echo request


OpenBSD
=======


20:08:40.295263 12.110.132.34 > a.b.c.100: icmp: echo request
20:09:54.845369 12.208.5.80 > a.b.c.100: icmp: echo request
20:06:15.305238 12.236.151.240 > a.b.c.100: icmp: echo request
20:10:04.340397 137.44.159.26 > a.b.c.100: icmp: echo request
20:06:29.141271 149.137.125.162 > a.b.c.100: icmp: echo request
20:08:31.388262 194.74.202.254 > a.b.c.100: icmp: echo request
20:03:18.896169 198.189.253.144 > a.b.c.100: icmp: echo request
20:07:16.334275 203.40.197.155 > a.b.c.100: icmp: echo request
20:08:32.075371 206.148.224.50 > a.b.c.100: icmp: echo request
20:09:03.317254 206.167.166.24 > a.b.c.100: icmp: echo request
19:56:27.041070 207.105.44.103 > a.b.c.100: icmp: echo request
19:58:21.851079 207.62.159.142 > a.b.c.100: icmp: echo request
20:06:43.904285 208.35.200.55 > a.b.c.100: icmp: echo request
20:06:30.428400 209.102.167.127 > a.b.c.100: icmp: echo request
20:07:28.670332 209.179.200.74 > a.b.c.100: icmp: echo request
19:56:49.817112 209.254.34.12 > a.b.c.100: icmp: echo request
20:01:44.768110 209.86.4.58 > a.b.c.100: icmp: echo request
20:07:03.881278 212.235.114.132 > a.b.c.100: icmp: echo request
19:57:43.337404 216.100.136.131 > a.b.c.100: icmp: echo request
20:04:47.345248 216.110.107.73 > a.b.c.100: icmp: echo request
20:01:25.835201 216.194.25.193 > a.b.c.100: icmp: echo request
20:08:45.890362 216.207.69.135 > a.b.c.100: icmp: echo request
20:00:14.528191 217.42.196.152 > a.b.c.100: icmp: echo request
20:01:05.063212 219.165.177.184 > a.b.c.100: icmp: echo request
20:06:39.377191 219.23.216.48 > a.b.c.100: icmp: echo request
20:05:02.294166 220.248.192.107 > a.b.c.100: icmp: echo request
20:08:14.573248 24.170.128.142 > a.b.c.100: icmp: echo request
19:57:05.165070 24.199.26.194 > a.b.c.100: icmp: echo request
20:04:10.502262 24.73.7.199 > a.b.c.100: icmp: echo request
20:09:17.717289 61.221.154.138 > a.b.c.100: icmp: echo request
19:59:24.332105 63.172.93.195 > a.b.c.100: icmp: echo request
19:59:53.816050 63.217.154.147 > a.b.c.100: icmp: echo request
20:00:23.627066 64.166.54.14 > a.b.c.100: icmp: echo request
19:58:02.087074 64.230.51.102 > a.b.c.100: icmp: echo request
20:01:31.217151 64.231.4.91 > a.b.c.100: icmp: echo request
20:08:37.598274 65.129.243.93 > a.b.c.100: icmp: echo request
20:03:29.540115 65.23.98.19 > a.b.c.100: icmp: echo request
20:07:24.605221 65.239.11.116 > a.b.c.100: icmp: echo request
19:56:59.689946 65.239.133.165 > a.b.c.100: icmp: echo request
20:09:43.670340 65.239.163.112 > a.b.c.100: icmp: echo request
19:59:52.622134 65.239.18.33 > a.b.c.100: icmp: echo request
20:07:43.793450 65.239.90.105 > a.b.c.100: icmp: echo request
20:00:38.432130 65.24.227.117 > a.b.c.100: icmp: echo request
20:05:28.058225 65.240.161.56 > a.b.c.100: icmp: echo request
20:08:26.498283 65.240.77.185 > a.b.c.100: icmp: echo request
19:57:32.495003 65.241.103.155 > a.b.c.100: icmp: echo request
20:10:12.200366 65.241.112.153 > a.b.c.100: icmp: echo request
20:08:52.232205 65.241.113.194 > a.b.c.100: icmp: echo request
20:08:40.295295 a.b.c.100 > 12.110.132.34: icmp: echo reply
20:09:54.845400 a.b.c.100 > 12.208.5.80: icmp: echo reply
20:06:15.305289 a.b.c.100 > 12.236.151.240: icmp: echo reply
20:10:04.340435 a.b.c.100 > 137.44.159.26: icmp: echo reply
20:06:29.141306 a.b.c.100 > 149.137.125.162: icmp: echo reply
20:08:31.388293 a.b.c.100 > 194.74.202.254: icmp: echo reply
20:03:18.896204 a.b.c.100 > 198.189.253.144: icmp: echo reply
20:07:16.334309 a.b.c.100 > 203.40.197.155: icmp: echo reply
20:08:32.075398 a.b.c.100 > 206.148.224.50: icmp: echo reply
20:09:03.317295 a.b.c.100 > 206.167.166.24: icmp: echo reply
19:56:27.041110 a.b.c.100 > 207.105.44.103: icmp: echo reply
19:58:21.851116 a.b.c.100 > 207.62.159.142: icmp: echo reply
20:06:43.904320 a.b.c.100 > 208.35.200.55: icmp: echo reply
20:06:30.428431 a.b.c.100 > 209.102.167.127: icmp: echo reply
20:07:28.670368 a.b.c.100 > 209.179.200.74: icmp: echo reply
19:56:49.817145 a.b.c.100 > 209.254.34.12: icmp: echo reply
20:01:44.768146 a.b.c.100 > 209.86.4.58: icmp: echo reply
20:07:03.881315 a.b.c.100 > 212.235.114.132: icmp: echo reply
19:57:43.337440 a.b.c.100 > 216.100.136.131: icmp: echo reply
20:04:47.345282 a.b.c.100 > 216.110.107.73: icmp: echo reply
20:01:25.835243 a.b.c.100 > 216.194.25.193: icmp: echo reply
20:08:45.890400 a.b.c.100 > 216.207.69.135: icmp: echo reply
20:00:14.528249 a.b.c.100 > 217.42.196.152: icmp: echo reply
20:01:05.063249 a.b.c.100 > 219.165.177.184: icmp: echo reply
20:06:39.377228 a.b.c.100 > 219.23.216.48: icmp: echo reply
20:05:02.294201 a.b.c.100 > 220.248.192.107: icmp: echo reply
20:08:14.573278 a.b.c.100 > 24.170.128.142: icmp: echo reply
19:57:05.165102 a.b.c.100 > 24.199.26.194: icmp: echo reply
20:04:10.502298 a.b.c.100 > 24.73.7.199: icmp: echo reply
20:09:17.717332 a.b.c.100 > 61.221.154.138: icmp: echo reply
19:59:24.332146 a.b.c.100 > 63.172.93.195: icmp: echo reply
19:59:53.816077 a.b.c.100 > 63.217.154.147: icmp: echo reply
20:00:23.630962 a.b.c.100 > 64.166.54.14: icmp: echo reply
19:58:02.087112 a.b.c.100 > 64.230.51.102: icmp: echo reply
20:01:31.217190 a.b.c.100 > 64.231.4.91: icmp: echo reply
20:08:37.598307 a.b.c.100 > 65.129.243.93: icmp: echo reply
20:03:29.540151 a.b.c.100 > 65.23.98.19: icmp: echo reply
20:07:24.605256 a.b.c.100 > 65.239.11.116: icmp: echo reply
19:56:59.689977 a.b.c.100 > 65.239.133.165: icmp: echo reply
20:09:43.670376 a.b.c.100 > 65.239.163.112: icmp: echo reply
19:59:52.622167 a.b.c.100 > 65.239.18.33: icmp: echo reply
20:07:43.793488 a.b.c.100 > 65.239.90.105: icmp: echo reply
20:00:38.432171 a.b.c.100 > 65.24.227.117: icmp: echo reply
20:05:28.058258 a.b.c.100 > 65.240.161.56: icmp: echo reply
20:08:26.498324 a.b.c.100 > 65.240.77.185: icmp: echo reply
19:57:32.495044 a.b.c.100 > 65.241.103.155: icmp: echo reply
20:10:12.200401 a.b.c.100 > 65.241.112.153: icmp: echo reply
20:08:52.232239 a.b.c.100 > 65.241.113.194: icmp: echo reply
20:09:26.264450 a.b.c.100 > 65.242.185.8: icmp: echo reply
20:00:38.870222 a.b.c.100 > 65.243.117.124: icmp: echo reply
19:58:25.475117 a.b.c.100 > 65.243.167.110: icmp: echo reply
20:07:11.813310 a.b.c.100 > 65.244.161.131: icmp: echo reply
20:01:19.202211 a.b.c.100 > 65.244.211.131: icmp: echo reply
19:57:43.862030 a.b.c.100 > 65.245.159.212: icmp: echo reply
19:58:41.696153 a.b.c.100 > 65.245.180.108: icmp: echo reply
20:01:33.287270 a.b.c.100 > 65.245.9.247: icmp: echo reply
20:08:59.198416 a.b.c.100 > 65.245.94.182: icmp: echo reply
19:56:46.400091 a.b.c.100 > 66.134.255.218: icmp: echo reply
20:03:15.146310 a.b.c.100 > 66.142.179.106: icmp: echo reply
19:57:00.941030 a.b.c.100 > 66.156.97.53: icmp: echo reply
20:00:29.432169 a.b.c.100 > 66.206.164.99: icmp: echo reply
19:58:48.752078 a.b.c.100 > 66.245.82.92: icmp: echo reply
20:00:44.243154 a.b.c.100 > 66.26.149.111: icmp: echo reply
20:06:19.565220 a.b.c.100 > 67.119.238.197: icmp: echo reply
20:08:14.105306 a.b.c.100 > 67.121.77.192: icmp: echo reply
20:01:51.959155 a.b.c.100 > 67.167.202.218: icmp: echo reply
20:02:58.343193 a.b.c.100 > 67.249.200.160: icmp: echo reply
19:57:55.520129 a.b.c.100 > 67.72.213.199: icmp: echo reply
20:07:46.256346 a.b.c.100 > 68.20.24.53: icmp: echo reply
20:06:20.210371 a.b.c.100 > 68.21.22.3: icmp: echo reply
20:09:51.611307 a.b.c.100 > 68.73.160.247: icmp: echo reply
20:03:02.927306 a.b.c.100 > 68.78.64.45: icmp: echo reply
20:07:06.407304 a.b.c.100 > 68.99.58.230: icmp: echo reply
20:04:30.581200 a.b.c.100 > 80.0.103.148: icmp: echo reply
20:09:26.264416 65.242.185.8 > a.b.c.100: icmp: echo request
20:00:38.870184 65.243.117.124 > a.b.c.100: icmp: echo request
19:58:25.475088 65.243.167.110 > a.b.c.100: icmp: echo request
20:07:11.813274 65.244.161.131 > a.b.c.100: icmp: echo request
20:01:19.202178 65.244.211.131 > a.b.c.100: icmp: echo request
19:57:43.861993 65.245.159.212 > a.b.c.100: icmp: echo request
19:58:41.696112 65.245.180.108 > a.b.c.100: icmp: echo request
20:01:33.287235 65.245.9.247 > a.b.c.100: icmp: echo request
20:08:59.198375 65.245.94.182 > a.b.c.100: icmp: echo request
19:56:46.400050 66.134.255.218 > a.b.c.100: icmp: echo request
20:03:15.146266 66.142.179.106 > a.b.c.100: icmp: echo request
19:57:00.940994 66.156.97.53 > a.b.c.100: icmp: echo request
20:00:29.432133 66.206.164.99 > a.b.c.100: icmp: echo request
19:58:48.752039 66.245.82.92 > a.b.c.100: icmp: echo request
20:00:44.243118 66.26.149.111 > a.b.c.100: icmp: echo request
20:06:19.565187 67.119.238.197 > a.b.c.100: icmp: echo request
20:08:14.105273 67.121.77.192 > a.b.c.100: icmp: echo request
20:01:51.959119 67.167.202.218 > a.b.c.100: icmp: echo request
20:02:58.343155 67.249.200.160 > a.b.c.100: icmp: echo request
19:57:55.520092 67.72.213.199 > a.b.c.100: icmp: echo request
20:07:46.256313 68.20.24.53 > a.b.c.100: icmp: echo request
20:06:20.210333 68.21.22.3 > a.b.c.100: icmp: echo request
20:09:51.611275 68.73.160.247 > a.b.c.100: icmp: echo request
20:03:02.927259 68.78.64.45 > a.b.c.100: icmp: echo request
20:07:06.407268 68.99.58.230 > a.b.c.100: icmp: echo request
20:04:30.581163 80.0.103.148 > a.b.c.100: icmp: echo request



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: