[Snort-users] Nice result with Snort.
Jan Hugo Prins
j.h.prins at ...1226...
Mon Jan 29 16:45:46 EST 2001
On Monday 29 January 2001 22:18, you wrote:
> On Mon, 29 Jan 2001, Jan Hugo Prins wrote:
> > The HW I got from the packet is the HW of a system within my own segment
> > and they can be obtained from packets where the IP adres is not masked.
> > At least, that is what I know about it.
> But you still haven't identified the attacker.
> The only way you could identify them from the mac address is if they were
> on your same ethernet segment.
Did an extra check just now:
[root at ...1230... /root]# ping 220.127.116.11
PING 18.104.22.168 (22.214.171.124) from 126.96.36.199 : 56(84) bytes of data.
64 bytes from 188.8.131.52: icmp_seq=0 ttl=128 time=115.195 msec
64 bytes from 184.108.40.206: icmp_seq=1 ttl=128 time=77.028 msec
--- 220.127.116.11 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/mdev = 77.028/96.111/115.195/19.086 ms
[root at ...1230... /root]# arp
Address HWtype HWaddress Flags Mask
18.104.22.168 ether 00:50:0B:66:C0:00 C eth1
cp74485-a.tilbu1.nb.nl. ether 00:A0:C9:D9:00:87 C eth1
[root at ...1230... /root]#
I think this system actually is in my own segment.
More information about the Snort-users