Snort mailing list archives

Re: Sid ?

From: "Tony Scalzitti" <tony () scalzitti org>
Date: Sat, 9 Feb 2002 18:08:49 -0500

I did the same thing when writing SnortFE.  The field is the 32-bit integer
value of the IP.  In fact it reminded me of the old exploit to bypass
filters etc. that use the dot notation.  Windows will let you use them in
place of the "normal" IP and it was possible to use them as a URL to avoid
"blocking" proxies etc.

-T

----- Original Message -----
From: "Warrick FitzGerald" <wfitzgerald () livetechnology com>
To: <Snort-users () lists sourceforge net>
Sent: Saturday, February 09, 2002 4:03 PM
Subject: Re: [Snort-users] Sid ?

My Apologies,

It turns out my "0" ip address is caused by the GUI client I am using to
access MySQL. The integer value seems to be to high for it to deal with.

THanks
Warrick

----- Original Message -----
From: "Warrick FitzGerald" <wfitzgerald () livetechnology com>
To: <Snort-users () lists sourceforge net>
Sent: Saturday, February 09, 2002 2:58 PM
Subject: Re: [Snort-users] Sid ?

Ahh, thanks for the help. One more though :)

The ip_src and ip_dst addresses are often "0" which is the default. Is

this

a bug / problem or am I not understanding the data model ?

Select looks like this :

SELECT `iphdr`.`ip_src`,
       `iphdr`.`ip_dst`,
       `tcphdr`.`tcp_sport`,
       `tcphdr`.`tcp_dport`,
       `tcphdr`.`tcp_seq`,
       `tcphdr`.`tcp_ack`,
       `data`.`data_payload`
FROM `data`
   INNER JOIN `tcphdr` ON (`data`.`cid` = `tcphdr`.`cid`)
   INNER JOIN `iphdr` ON (`tcphdr`.`cid` = `iphdr`.`cid`)

However looking at the iphdr table only reveals exactly the same thing ?

Thanks
Warrick FitzGerald
LiveTechnology Inc.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Eliminating rulesets Jeff Elkins (Feb 09)
- Sid ? Warrick FitzGerald (Feb 09)
  - Re: Sid ? Ryan Russell (Feb 09)
    - Re: Sid ? Warrick FitzGerald (Feb 09)
    - Re: Sid ? Warrick FitzGerald (Feb 09)
    - Re: Sid ? Tony Scalzitti (Feb 09)
- Re: Eliminating rulesets Phil Wood (Feb 09)
  - Re: Eliminating rulesets Jeff Elkins (Feb 09)
    - Re: Eliminating rulesets Phil Wood (Feb 09)
    - Re: Eliminating rulesets Jeff Elkins (Feb 09)