Re: [commercial] Re: Snort alarm sameip

[Joel Esler <jesler () sourcefire com>]

If you could email the pcap to research () sourcefire com

That would be great. B

--
Joel Esler

On May 28, 2012, at 6:11 PM, Philip Edwards <phil.e () clara net> wrote:

> Hello again,
>
> phil@Rangoon:~$ tcpdump -r dhcp.cap | grep 0.0.0.0
> reading from file dhcp.cap, link-type EN10MB (Ethernet)
> 18:16:22.019719 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:1b:63:c7:06:bb (oui Unknown), 
> length 300
> 18:17:25.761463 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:1b:63:c7:06:bb (oui Unknown), 
> length 300
> 18:17:31.973436 IP philip-edwards-computer.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 
> b.b.6.0.7.c.e.f.f.f.3.6.b.1.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
> tcpdump: pcap_loop: truncated dump file; tried to read 60 captured bytes, only got 24
>
>
>
> Phil.
>
>
> On 26 May 2012, at 18:53, Eric G wrote:
>
> > On Sat, May 26, 2012 at 8:12 AM, Philip Edwards <phil.e () clara net> wrote:
> >
> > Hi,
> >
> > Howdy!
> >  
> > Can anyone hazard a guess why the sameip keyword is triggering an alarm on a DHCP request.
> > The source is 0.0.0.0 the destination is 255.255.255.255
> > The rule is the default: bad-traffic rule
> >
> > alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; 
> > reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; 
> > rev:8;)
> >
> > I would venture to guess that the response from the list is going to be something along the lines of "can you 
> > provide us a pcap of the traffic?" That's kind of how folks roll around here.
> >
> > --
> > Eric
> >
> > ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and 
> > threat landscape has changed and how IT managers can respond. Discussions 
> > will include endpoint security, mobile security and the latest in malware 
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!