[Snort-users] Nice result with snort.

ktimm at ...651... ktimm at ...651...
Mon Jan 29 15:40:44 EST 2001

Was the attacker on the same network segment as the snort box ? 
I could be wrong but I thought it was  impossible to get the HW
Addr on traditional ethernet if the person was not on the same LAN .

On Mon, 29 Jan 2001, Jan Hugo Prins wrote:

> Hi everyone,
> Today I had a nice result from Snort. 
> Yesterday evening someone tried a Naptha DoS attack on my port 22. This was 
> perfectly logged in both the alert file and the MySql database (about 2200 
> packets). The guy that did this had masked his IP adres and the destination 
> adres. But what he didn't mask (and is probebly much more difficult to mask) 
> was his hardware adres so by doing a search in my logfiles I finally found 2 
> packets from someone doing a portscan at his system with his IP adres clearly 
> stated. 
> The only thing that rested was sending a abuse mail to his profider. Haven't 
> heard from them yet but I have a good hope that they will notice me about any 
> results. 
> Greetings,
> J.H. Prins

More information about the Snort-users mailing list