Re: Snort has different IPs than Wireshark

["Billy Marshall" <Billy.Marshall () state co us>]

Hi Russ,
You are absolutely correct. After some investigation it is base causing
the issues. I discovered that the database has the addresses correctly
stored and a dump form tcpdump and snort produce correct outputs. A
colleague of mine and I discovered Base has a small bug. It is detailed
in the attached document.
Base version is 1.4.4

 
 


-Bill Marshall
Network Services -
Governor's Office of Information Technology
1575 Sherman Street, Ground Floor G19
Denver, CO 80203
Phone: 303-866-5209
Email:  billy.marshall () state co us 

***************************************************************************
Information contained in this email is confidential and intended for
the addressee only. If you received this message and are not the
intended recipient, please delete the message and do not further
disclose the information. 

> > > Russ Combs <rcombs () sourcefire com> 11/30/2010 11:26 AM >>>
Just looking at your pcap it is hard to say but Snort and Wireshark are
in agreement on the addresses so maybe it is a Base issue.

On Tue, Nov 30, 2010 at 12:28 PM, Billy Marshall
<Billy.Marshall () state co us> wrote:



I have a massive amount of alerts that seem peculiar. Wireshark payload
dump from Snort has South African addresses but snort has RFC 1816
addresses.



Base output


DOS tcpdump tcp LDP print zero length message denial of service attempt

2010-11-24 06:00:01 
10.xxx.xxx.115 (
http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.93.115&amp;netmask=32
):2049 
10.xxx.xxx.15 (
http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.72.15&amp;netmask32
):646 
TCP 


whois info:

Src 163.197.215.3 Dst 163.196.128.15

ZA, South Africa



Any Ideas

------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with
the
Intel(R) Software Partner Program. Five $500 cash prizes are up for
grabs.
http://p.sf.net/sfu/intelisp-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Attachment: Base-pcap-problem.doc
Description:

------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users