Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Aberrant alerts with snort 2.1.0 build 9

From: John Sage <jsage () finchhaven com>
Date: Thu, 5 Feb 2004 11:19:56 -0800
I'm receiving sporadic alert aberrations, thus:

Feb  5 09:25:37 greatwall snort: [1:483:2] ICMP PING CyberKit 2.2
Windows [Classification: Misc activity] [Priority: 3]: {UDP}
23.19.147.225:666 -> 24.19.147.xxx:1026
Feb  5 09:25:37 greatwall kernel: Block: udp: IN=eth0 OUT=
MAC=00:40:05:88:27:24:00:0a:42:6e:f8:54:08:00 SRC=23.19.147.225
DST=24.19.147.xxx LEN=574 TOS=0x00 PREC=0x00 TTL=113 ID=27832
PROTO=UDP SPT=666+DPT=1026 LEN=554

Feb  5 09:25:37 greatwall snort: [1:483:2] ICMP PING CyberKit 2.2
Windows [Classification: Misc activity] [Priority: 3]: {UDP}
23.19.147.225:666 -> 24.19.147.xxx:1027
Feb  5 09:25:37 greatwall kernel: Block: udp: IN=eth0 OUT=
MAC=00:40:05:88:27:24:00:0a:42:6e:f8:54:08:00 SRC=23.19.147.225
DST=24.19.147.xxx LEN=574 TOS=0x00 PREC=0x00 TTL=113 ID=27834
PROTO=UDP SPT=666+DPT=1027 LEN=554


I have seen this from what are really UDP or TCP packets, but are
being reported as CyberKit pings. CyberKit pings themselves are being
reported correctly.

Is this the sort of "Alert mangling fixes" that 2.1.1-RC1 is hoping to
fix?



- John
-- 
Mad cow? You'd be mad too, if someone was trying to eat you.


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: