[Snort-users] Nice result with Snort.

Jan Hugo Prins j.h.prins at ...1226...
Mon Jan 29 16:45:46 EST 2001

On Monday 29 January 2001 22:18, you wrote:
> On Mon, 29 Jan 2001, Jan Hugo Prins wrote:
> > The HW I got from the packet is the HW of a system within my own segment
> > and they can be obtained from packets where the IP adres is not masked.
> > At least, that is what I know about it.
> But you still haven't identified the attacker.
> The only way you could identify them from the mac address is if they were
> on your same ethernet segment.
> -Dan

Did an extra check just now:

[root at ...1230... /root]# ping
PING ( from : 56(84) bytes of data.
64 bytes from icmp_seq=0 ttl=128 time=115.195 msec
64 bytes from icmp_seq=1 ttl=128 time=77.028 msec
--- ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/mdev = 77.028/96.111/115.195/19.086 ms
[root at ...1230... /root]# arp
Address                 HWtype  HWaddress           Flags Mask            
Iface            ether   00:50:0B:66:C0:00   C                     eth1
cp74485-a.tilbu1.nb.nl. ether   00:A0:C9:D9:00:87   C                     eth1
[root at ...1230... /root]#                                                        
I think this system actually is in my own segment.

Jan Hugo

More information about the Snort-users mailing list