Re: (no subject)

["Hugo Ferr" <snortgrp () hotmail com>]

my snort sniffs lan nic of the firewall, but I think it sees the traffic
before it is nated.
----- Original Message -----
From: "Wirth, Jeff" <WirthJe () DNB com>
To: "'Hugo Ferr'" <snortgrp () hotmail com>;
<snort-users () lists sourceforge net>
Sent: Friday, May 31, 2002 3:53 PM
Subject: RE: [Snort-users] (no subject)


> From: Hugo Ferr [mailto:snortgrp () hotmail com]
> > Snort LAN sensor
> > Here is the line from acid :
> > Source
> > destination
> >       DOS MSDTC attempt         207.35.159.36:80
> > 10.0.0.249:3372
> > TCP
> >
> >
> > How is this possible? 10.0.0.249 is a proxy machine taht
> > doesn't have public
>
> Is your snort box inside your FW?  If so, I think what you are seeing here
> is a false alarm.  The source port on the packet is 80 (HTTP) and you
> mentioned that the 10.0.0.249 box is a proxy server, so if you are
snorting
> after NATing occurs this would explain things.
>
> > ip. How somebody can connect to non-routable ip from the
> > outside world?
> > Or should I interpret this line as something else?
>
> - Jeff

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users