[Snort-users] Break in attempt?

Jim Burnes jburnes at ...75...
Tue Nov 7 11:57:19 EST 2000


On Tue, 07 Nov 2000, Martin Roesch wrote:
> That doesn't look like any shell code I've ever seen, so it's probably
> something else.  It looks like it's saying that it's rejecting a protocol
> called "LCP", which I also don't know off the top of my head.  I wouldn't
> worry about it too much, although it might not be a bad idea to hook up
> something with some beefier protocol analysis capabilities than Snort (like
> Ethereal) and see what it has to say.
>
>     -Marty
>
> Preben Randhol wrote:
> > Does this looks like an break in attempt? I found it in the log of my
> > machine that is connected to the net with ISDN.
> >
> > Thanks in advance.
> >
> > Nov  5 14:33:01 machine ipppd[357]: rcvd [0][LCP ProtRej id=0x90 d8 82
> > 3c fd 3e f1 ce c8 03 42 52 3f 46 d0 6f e5 7c bb bd c2 80 94 6f 82 0f e7
> > 42 86 40 c9 14 72 49 b9 d8 3a 4a 5c 33 0f 4d 86 aa 00 5d b7 69 51 b4 9a
> > f6 72 df 10 dd 9f a7 9c 54 8e 9a 7d 73 a1 de 45 ba d6 a4 62 aa a4 29 a5
> > 63

LCP is the ppp Link Control Protocol.  LCP negotiates line settings
and other features.  Since ppp can carry many protocols on top of it,
its probably complaining that it can't carry a specific protocol
that was requested.  Probably a communications error or something.


-- 
Sometimes it is said that man can not be trusted with the government of
himself. Can he, then, be trusted with the government of others? Or have we
found angels in the forms of kings to govern him? Let history answer this
question.	-- Thomas Jefferson, 1st Inaugural



More information about the Snort-users mailing list