[Snort-users] Logging to tcpdump file and d/b

Steve Hutchins Steve.Hutchins at ...277...
Mon Mar 5 17:25:24 EST 2001

I know! just call me NUMPTY for not hiding addresses properly!


-----Original Message-----
From: Steve Hutchins [mailto:Steve.Hutchins at ...277...]
Sent: Tuesday, 6 March 2001 10:32 
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Logging to tcpdump file and d/b

I am running ntp on both the sensor and the acid box, although
I appreciate how the times can differ fractionally.

The main reason I was looking into the alert, was because I 
have noticed acid showing quite a few TCP packets with a TTL of 255,
sequence and ack of zero (from external addresses), which btw, there
are no packets with a TTL of 255 shown by either snort or tcpdump.

I have an example of an alert from last night that is reported
by acid of having a ttl of 255. The alerts are in the acid d/b
and in the syslog, but not in the binary.
I have listed the details below:

More information about the Snort-users mailing list