Snort mailing list archives
False Alert and IP Number
From: "George D. Nincehelser" <george () ccitriad net>
Date: Fri, 14 Sep 2001 16:34:35 -0500
I'm not sure if this is the appropriate list, but here's somthing odd I noticed. I don't think it is any problem with Snort, but I'm not sure why it is happening. I've had Snort running for some time on our DSL link attached to our development lab. Recently, the DSL provider filed for bankruptcy, so our development systems were switched to another DSL provider. Snort went along for the ride. Due to limited IP space on the new link, several of the development servers were "stacked" onto one public IP number via NAT instead of each having own distinct public IP. Since doing this, I've started getting alerts of the NetMetro Backdoor kind. However, the traffic is innocent and normal for our product. The only difference is the "stacked" public IP situation. The alerts started immediately after the IP change, and never occured before. Is it reasonable to think that the port-stacking and NAT is altering the packets in a way that just happens to look like suspicous traffic? (The traffic causing this is between SCO Unix boxes running a custom application) Thoughts? Thanks _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TOS snortlst snortlst (Sep 14)
- Re: TOS Beckster (Sep 14)
- False Alert and IP Number George D. Nincehelser (Sep 14)
- Re: False Alert and IP Number John Sage (Sep 15)
- False Alert and IP Number George D. Nincehelser (Sep 14)
- <Possible follow-ups>
- RE: TOS Cessna, Michael (Sep 14)
- Re: TOS Beckster (Sep 14)