RE: Tagged packets in logs

["Grejda, Eric" <EGrejda () county allegheny pa us>]

I've been seeing those on our networks as well, only there hasn't been any
payload in those packets.  They were appearing on a Snort v2.0.5 setup using
the latest STABLE rule set which was logging to a MySQL database.  We
haven't been able to pin down what's causing them, either, and would love to
know what's going on.  My working theory has been that it's been a system
duplication application of some sort (we use a few of them around here)
pinging the server that stores its disk images but there's no hard data
backing that theory up.

--
Eric Grejda


> -----Original Message-----
> From: Russell Fulton [mailto:r.fulton () auckland ac nz] 
> Sent: Tuesday, December 23, 2003 5:22 AM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Tagged packets in logs
>
>       I am getting a trickle of "tagged" packets turning up 
> in ACID.  All these packets have 80 as source port and most 
> have no data, just
> push+ack set.  A few have data and these alway start with a USER
> <username><CRLF>PASS <password> .


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users