Snort mailing list archives
Re: Snort has different IPs than Wireshark
From: "Billy Marshall" <Billy.Marshall () state co us>
Date: Tue, 30 Nov 2010 12:42:45 -0700
Hi Russ, You are absolutely correct. After some investigation it is base causing the issues. I discovered that the database has the addresses correctly stored and a dump form tcpdump and snort produce correct outputs. A colleague of mine and I discovered Base has a small bug. It is detailed in the attached document. Base version is 1.4.4 -Bill Marshall Network Services - Governor's Office of Information Technology 1575 Sherman Street, Ground Floor G19 Denver, CO 80203 Phone: 303-866-5209 Email: billy.marshall () state co us *************************************************************************** Information contained in this email is confidential and intended for the addressee only. If you received this message and are not the intended recipient, please delete the message and do not further disclose the information.
Russ Combs <rcombs () sourcefire com> 11/30/2010 11:26 AM >>>
Just looking at your pcap it is hard to say but Snort and Wireshark are in agreement on the addresses so maybe it is a Base issue. On Tue, Nov 30, 2010 at 12:28 PM, Billy Marshall <Billy.Marshall () state co us> wrote: I have a massive amount of alerts that seem peculiar. Wireshark payload dump from Snort has South African addresses but snort has RFC 1816 addresses. Base output DOS tcpdump tcp LDP print zero length message denial of service attempt 2010-11-24 06:00:01 10.xxx.xxx.115 ( http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.93.115&netmask=32 ):2049 10.xxx.xxx.15 ( http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.72.15&netmask32 ):646 TCP whois info: Src 163.197.215.3 Dst 163.196.128.15 ZA, South Africa Any Ideas ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Attachment:
Base-pcap-problem.doc
Description:
------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort has different IPs than Wireshark Billy Marshall (Nov 30)
- Re: Snort has different IPs than Wireshark Russ Combs (Nov 30)
- Re: Snort has different IPs than Wireshark Billy Marshall (Nov 30)
- Re: Snort has different IPs than Wireshark Castle, Shane (Nov 30)
- Re: Snort has different IPs than Wireshark Billy Marshall (Nov 30)
- Re: Snort has different IPs than Wireshark Russ Combs (Nov 30)