Snort mailing list archives
Re: Snort has different IPs than Wireshark
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 30 Nov 2010 13:26:03 -0500
Just looking at your pcap it is hard to say but Snort and Wireshark are in agreement on the addresses so maybe it is a Base issue. On Tue, Nov 30, 2010 at 12:28 PM, Billy Marshall <Billy.Marshall () state co us
wrote:
I have a massive amount of alerts that seem peculiar. Wireshark payload dump from Snort has South African addresses but snort has RFC 1816 addresses. Base output DOS tcpdump tcp LDP print zero length message denial of service attempt 2010-11-24 06:00:01 10.xxx.xxx.115<http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.93.115&netmask=32> :2049 10.xxx.xxx.15<http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.72.15&netmask32> :646 TCP whois info: Src 163.197.215.3 Dst 163.196.128.15 ZA, South Africa Any Ideas ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort has different IPs than Wireshark Billy Marshall (Nov 30)
- Re: Snort has different IPs than Wireshark Russ Combs (Nov 30)
- Re: Snort has different IPs than Wireshark Billy Marshall (Nov 30)
- Re: Snort has different IPs than Wireshark Castle, Shane (Nov 30)
- Re: Snort has different IPs than Wireshark Billy Marshall (Nov 30)
- Re: Snort has different IPs than Wireshark Russ Combs (Nov 30)