[Snort-users] Logging to tcpdump file and d/b
Steve.Hutchins at ...277...
Mon Mar 5 17:25:24 EST 2001
I know! just call me NUMPTY for not hiding addresses properly!
From: Steve Hutchins [mailto:Steve.Hutchins at ...277...]
Sent: Tuesday, 6 March 2001 10:32
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Logging to tcpdump file and d/b
I am running ntp on both the sensor and the acid box, although
I appreciate how the times can differ fractionally.
The main reason I was looking into the alert, was because I
have noticed acid showing quite a few TCP packets with a TTL of 255,
sequence and ack of zero (from external addresses), which btw, there
are no packets with a TTL of 255 shown by either snort or tcpdump.
I have an example of an alert from last night that is reported
by acid of having a ttl of 255. The alerts are in the acid d/b
and in the syslog, but not in the binary.
I have listed the details below:
More information about the Snort-users