Snort mailing list archives

Previous By Date Next
Previous By Thread Next

(no subject)

From: "Marc Quibell" <mquibell () fbfs com>
Date: Thu, 18 Sep 2003 08:51:17 -0500


Broadcast addresses can't show up as a source. Must be your reporting is a
little whacky...What are the destinations?

Marc


Message: 2
From: "Edward Marshall" <edtech () tstt net tt>
To: <snort-users () lists sourceforge net>
Date: Thu, 18 Sep 2003 05:59:43 -0400
Subject: [Snort-users] Broadcast address???>



This is a multi-part message in MIME format.



------=_NextPart_000_0001_01C37DAA.0F55F630
Content-Type: text/plain;

     charset="us-ascii"

Content-Transfer-Encoding: 7bit



Hi Guys, after running Snort 2.0.1 on a corporate network 192.168.2.0/24
for a week, I used Sawmill to analyze the Snort log files (Alert,
Portscan.log and Scan.log).
I noticed that the following source IP addresses showed up 192.168.2.255
(with 6,296 hits) and 255.255.255.255 (with 626 hits). My question is,
isn't these two IP addresses - broadcast addresses???  How can a
broadcast address show up as a source IP address???



Any assistance would be greatly appreciated!!!




Thanks



Eddie







-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: