Way off Topic, was RE: [Snort-users] Possible network mapping?

Utopian Admin admin at ...1419...
Thu Mar 1 18:00:21 EST 2001


Yes, please -- you can even mask out the faces!  I'm confused though - did
the router get hot because of the traffic, or the content? (ar-ar) ;)

Cheers,
Mike.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bill
Marquette
Sent: Thursday, March 01, 2001 3:31 PM
To: shawn . moyer
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Possible network mapping?




rofl, you wouldn't mind getting us copies of those pictures would you?  I
for
one wouldn't mind having one nearby when asked why the product isn't in use
in
our environment (not that this is the reason mind you, but it would be great
for
the response : ) )

--Bill



From: "shawn . moyer" <shawn at ...1184...> on 03/01/2001 02:43 PM

To:   Bill Marquette/National/Hewitt Associates at ...1126... Associates NA
      snort-users at lists.sourceforge.net
cc:
Client:
Subject:  Re: [Snort-users] Possible network mapping?




OT anecdote: LocalDirectors bite. A buddy of mine with IBM Global has
pictures of the server racks from the Victoria's Secret SuperBowl
webcast where the LocalDirector actually CAUGHT ON FIRE b/c of the load.
Nice work. :)




--shawn



Bill Marquette wrote:
>
> Might be a device behind a Cisco Local Director...we've seen FIN/ACKs from
> numerous sites (aol.com for example) where we'll block the packet from
what
> appears to be a valid web server...after contacting admins we've always
found
> that these servers were behind a Cisco LD.  I suspect the state table in
the
NAT
> on the Cisco device is too small and the second it FINs it drops the
connection
> and the web servers FIN comes a hair too late and doesn't get NATd, just
gets
> passed straight out.
>
> --Bill
>
> From: Dr SuSE <drsuse at ...748...> on 03/01/2001 10:02 AM
>
> To:   Snort Users <snort-users at lists.sourceforge.net>
> cc:
> Client:
> Subject:  [Snort-users] Possible network mapping?
>
> Has anyone seen this type of traffic before?  There never was a three way
> handshake between my machine at 192.0.0.11 and 209.67.42.78 which resolves
to
> orb-cache2.starmedia.com
> I'm assuming it might be a forged packet sent to solicit a response ie the
tcp
> reset reply from my machine.
>
> 03/01-02:04:00.491740 209.67.42.78:80 -> 192.0.0.11:1188
> TCP TTL:49 TOS:0x0 ID:14034 IpLen:20 DgmLen:40 DF
> ***A***F Seq: 0xB0B32B46  Ack: 0x97F4B645  Win: 0x4350  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 03/01-02:04:00.491891 192.0.0.11:1188 -> 209.67.42.78:80
> TCP TTL:128 TOS:0x0 ID:23342 IpLen:20 DgmLen:40
> *****R** Seq: 0x97F4B645  Ack: 0x97F4B645  Win: 0x0  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> ---------------------------------------------
> Microsoft ist nicht installiert.
> http://www.drsuse.org/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users







_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users





More information about the Snort-users mailing list