Snort mailing list archives
What is snort doing to the packets
From: "Bagwell, Steve" <sbagwell () above net>
Date: Thu, 16 Oct 2003 23:05:07 -0400
We have been getting alot of ICMP PING CyberKit 2.2 Windows alerts. The reason behind the alert is easy enough but the Src IP and Dest IP are confusing. The alerts scroll across the screen most of the night but are not worth investigating because neither the Src IP or Dest IP are ever reachable. I started capturing packets to see what was going on and all the packets which would trigger this type of alert have legitimate Src IP and Dest IP. What could be happening after snort runs them through the rules? One theory is : The Src IP is broadcasting it's internal IP space. Alert from E-Sentinel: Event - snort: [ID 702911 local5.alert] [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} 192.168.100.107 -> 64.124.244.87 - Thanks Steve ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What is snort doing to the packets Steve Bagwell (Oct 16)
- Re: What is snort doing to the packets John Sage (Oct 17)
- <Possible follow-ups>
- What is snort doing to the packets Bagwell, Steve (Oct 17)
- What is snort doing to the packets Bagwell, Steve (Oct 17)