Snort mailing list archives
Aberrant alerts with snort 2.1.0 build 9
From: John Sage <jsage () finchhaven com>
Date: Thu, 5 Feb 2004 11:19:56 -0800
I'm receiving sporadic alert aberrations, thus: Feb 5 09:25:37 greatwall snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {UDP} 23.19.147.225:666 -> 24.19.147.xxx:1026 Feb 5 09:25:37 greatwall kernel: Block: udp: IN=eth0 OUT= MAC=00:40:05:88:27:24:00:0a:42:6e:f8:54:08:00 SRC=23.19.147.225 DST=24.19.147.xxx LEN=574 TOS=0x00 PREC=0x00 TTL=113 ID=27832 PROTO=UDP SPT=666+DPT=1026 LEN=554 Feb 5 09:25:37 greatwall snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {UDP} 23.19.147.225:666 -> 24.19.147.xxx:1027 Feb 5 09:25:37 greatwall kernel: Block: udp: IN=eth0 OUT= MAC=00:40:05:88:27:24:00:0a:42:6e:f8:54:08:00 SRC=23.19.147.225 DST=24.19.147.xxx LEN=574 TOS=0x00 PREC=0x00 TTL=113 ID=27834 PROTO=UDP SPT=666+DPT=1027 LEN=554 I have seen this from what are really UDP or TCP packets, but are being reported as CyberKit pings. CyberKit pings themselves are being reported correctly. Is this the sort of "Alert mangling fixes" that 2.1.1-RC1 is hoping to fix? - John -- Mad cow? You'd be mad too, if someone was trying to eat you. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Aberrant alerts with snort 2.1.0 build 9 John Sage (Feb 05)
- Re: Aberrant alerts with snort 2.1.0 build 9 Jeremy Hewlett (Feb 05)