Snort mailing list archives
Re: [Snort-users] Snort 2.8.6 generatin invalid ip options in events?
From: "Bruce A. Sanders" <basanders () proobject com>
Date: Fri, 04 Jun 2010 15:52:48 -0400
Andy, I decoded the data portion (Base64) to URL:http://iplane.cs.washington.edu/pl_measurement.html Contact:iplane-support () cs washington edu. Took a look and it may provide more clues. Bruce Sanders ProObject 7467 Ridge Rd., Suite 330 Hanover, MD 21076 Office: 410-993-1699 x 170 Fax:410-993-1691 _____ From: Joel Esler [mailto:jesler () sourcefire com] To: Andy Berryman [mailto:aberryman () Cymtec com] Cc: <snort-users () lists sourceforge net> [mailto:snort-users () lists sourceforge net] Sent: Fri, 04 Jun 2010 14:48:13 -0400 Subject: Re: [Snort-users] Snort 2.8.6 generatin invalid ip options in events? Is this a dump out of the database or something? -- Joel Esler Sent from my iPhone On Jun 4, 2010, at 2:33 PM, "Andy Berryman" <aberryman () Cymtec com> wrote: I'm having an issue with snort 2.8.6 that I have really no clue on how to even start trying to figure out. So, besides Google, you guys are my first hope. I'm getting events from snort that have invalid ip options in the event. Hoping someone can point me in the right direction on how/where to start. Here's the event. iphdr:1406410883,3436490497,4,15,0,264,44627,0,0,26,1,12955 ipopt:0,0,1,0, ipopt:1,0,7,37,KAoBZQTCsdFOw/sbIcP7G5o+KHxaPihwpkDWkZJA18PRkOgJpg== icmphdr:8,0,19178 data:VVJMOmh0dHA6Ly9pcGxhbmUuY3Mud2FzaGluZ3Rvbi5lZHUvcGxfbWVhc3VyZW1lbnQuaHRt bCBDb250YWN0OmlwbGFuZS1zdXBwb3J0QGNzLndhc2hpbmd0b24uZWR1AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA== Thanks, Andy Berryman _____ This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail. _____ ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Snort-users] Snort 2.8.6 generatin invalid ip options in events? Bruce A. Sanders (Jun 04)