[Snort-users] Nice result with Snort.

Jan Hugo Prins j.h.prins at ...1226...
Mon Jan 29 16:45:46 EST 2001


On Monday 29 January 2001 22:18, you wrote:
> On Mon, 29 Jan 2001, Jan Hugo Prins wrote:
> > The HW I got from the packet is the HW of a system within my own segment
> > and they can be obtained from packets where the IP adres is not masked.
> > At least, that is what I know about it.
>
> But you still haven't identified the attacker.
>
> The only way you could identify them from the mac address is if they were
> on your same ethernet segment.
>
> -Dan

Did an extra check just now:

[root at ...1230... /root]# ping 213.51.157.97
PING 213.51.157.97 (213.51.157.97) from 213.51.157.178 : 56(84) bytes of data.
64 bytes from 213.51.157.97: icmp_seq=0 ttl=128 time=115.195 msec
64 bytes from 213.51.157.97: icmp_seq=1 ttl=128 time=77.028 msec
 
--- 213.51.157.97 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/mdev = 77.028/96.111/115.195/19.086 ms
[root at ...1230... /root]# arp
Address                 HWtype  HWaddress           Flags Mask            
Iface
213.51.156.1            ether   00:50:0B:66:C0:00   C                     eth1
cp74485-a.tilbu1.nb.nl. ether   00:A0:C9:D9:00:87   C                     eth1
[root at ...1230... /root]#                                                        
  
I think this system actually is in my own segment.

Greetings,
Jan Hugo




More information about the Snort-users mailing list