[Snort-users] Possible network mapping?

Bill Marquette wlmarque at ...8...
Thu Mar 1 16:31:11 EST 2001


rofl, you wouldn't mind getting us copies of those pictures would you?  I for
one wouldn't mind having one nearby when asked why the product isn't in use in
our environment (not that this is the reason mind you, but it would be great for
the response : ) )

--Bill



From: "shawn . moyer" <shawn at ...1184...> on 03/01/2001 02:43 PM

To:   Bill Marquette/National/Hewitt Associates at ...1126... Associates NA
      snort-users at lists.sourceforge.net
cc:
Client:
Subject:  Re: [Snort-users] Possible network mapping?




OT anecdote: LocalDirectors bite. A buddy of mine with IBM Global has
pictures of the server racks from the Victoria's Secret SuperBowl
webcast where the LocalDirector actually CAUGHT ON FIRE b/c of the load.
Nice work. :)




--shawn



Bill Marquette wrote:
>
> Might be a device behind a Cisco Local Director...we've seen FIN/ACKs from
> numerous sites (aol.com for example) where we'll block the packet from what
> appears to be a valid web server...after contacting admins we've always found
> that these servers were behind a Cisco LD.  I suspect the state table in the
NAT
> on the Cisco device is too small and the second it FINs it drops the
connection
> and the web servers FIN comes a hair too late and doesn't get NATd, just gets
> passed straight out.
>
> --Bill
>
> From: Dr SuSE <drsuse at ...748...> on 03/01/2001 10:02 AM
>
> To:   Snort Users <snort-users at lists.sourceforge.net>
> cc:
> Client:
> Subject:  [Snort-users] Possible network mapping?
>
> Has anyone seen this type of traffic before?  There never was a three way
> handshake between my machine at 192.0.0.11 and 209.67.42.78 which resolves to
> orb-cache2.starmedia.com
> I'm assuming it might be a forged packet sent to solicit a response ie the tcp
> reset reply from my machine.
>
> 03/01-02:04:00.491740 209.67.42.78:80 -> 192.0.0.11:1188
> TCP TTL:49 TOS:0x0 ID:14034 IpLen:20 DgmLen:40 DF
> ***A***F Seq: 0xB0B32B46  Ack: 0x97F4B645  Win: 0x4350  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 03/01-02:04:00.491891 192.0.0.11:1188 -> 209.67.42.78:80
> TCP TTL:128 TOS:0x0 ID:23342 IpLen:20 DgmLen:40
> *****R** Seq: 0x97F4B645  Ack: 0x97F4B645  Win: 0x0  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> ---------------------------------------------
> Microsoft ist nicht installiert.
> http://www.drsuse.org/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users










More information about the Snort-users mailing list