Snort mailing list archives
Re: False Alert and IP Number
From: John Sage <jsage () finchhaven com>
Date: Sat, 15 Sep 2001 08:30:09 -0700
George: See: http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids79&view=eventAlerts "..of the NetMetro Backdoor kind.." (your words: do you mean that's the specific ID being returned?) seem to trigger on tcp packets with a source port 5031, a destination port 1024, and both the ACK and SYN flags set.
Are these characteristic of the packets you're seeing? - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." George D. Nincehelser wrote:
I'm not sure if this is the appropriate list, but here's somthing odd I noticed. I don't think it is any problem with Snort, but I'm not sure why it is happening. I've had Snort running for some time on our DSL link attached to our development lab. Recently, the DSL provider filed for bankruptcy, so our development systems were switched to another DSL provider. Snort went along for the ride. Due to limited IP space on the new link, several of the development servers were "stacked" onto one public IP number via NAT instead of each having own distinct public IP. Since doing this, I've started getting alerts of the NetMetro Backdoor kind. However, the traffic is innocent and normal for our product. The only difference is the "stacked" public IP situation. The alerts started immediately after the IP change, and never occured before. Is it reasonable to think that the port-stacking and NAT is altering the packets in a way that just happens to look like suspicous traffic? (The traffic causing this is between SCO Unix boxes running a custom application) Thoughts? Thanks
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TOS snortlst snortlst (Sep 14)
- Re: TOS Beckster (Sep 14)
- False Alert and IP Number George D. Nincehelser (Sep 14)
- Re: False Alert and IP Number John Sage (Sep 15)
- False Alert and IP Number George D. Nincehelser (Sep 14)
- <Possible follow-ups>
- RE: TOS Cessna, Michael (Sep 14)
- Re: TOS Beckster (Sep 14)