[Snort-users] False Alert and IP Number

George D. Nincehelser george at ...2905...
Fri Sep 14 14:33:01 EDT 2001


I'm not sure if this is the appropriate list, but here's somthing odd I
noticed.

I don't think it is any problem with Snort, but I'm not sure why it is
happening.

I've had Snort running for some time on our DSL link attached to our
development lab.  Recently, the DSL provider filed for bankruptcy, so our
development systems were switched to another DSL provider.  Snort went along
for the ride.

Due to limited IP space on the new link, several of the development servers
were "stacked" onto one public IP number via NAT instead of each having own
distinct public IP.

Since doing this, I've started getting alerts of the NetMetro Backdoor kind.
However, the traffic is innocent and normal for our product.

The only difference is the "stacked" public IP situation.  The alerts
started immediately after the IP change, and never occured before.

Is it reasonable to think that the port-stacking and NAT is altering the
packets in a way that just happens to look like suspicous traffic?  (The
traffic causing this is between SCO Unix boxes running a custom application)

Thoughts?
Thanks







More information about the Snort-users mailing list