[Snort-users] Source IP/destination IP: how close is too close?

John Sage jsage at ...2022...
Thu Jan 17 20:12:02 EST 2002


I just had to post this snort capture of a probe to tcp:12345 -- look at 
the source IP address relative to my destination IP address as a dialup 
to access.att.net, out of AT&T's Seattle, WA pop...


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/17-18:47:48.819272 12.82.129.234:1182 -> 12.82.129.235:12345
TCP TTL:127 TOS:0x0 ID:18697 IpLen:20 DgmLen:48 DF
******S* Seq: 0x21DD8C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/17-18:47:51.809627 12.82.129.234:1182 -> 12.82.129.235:12345
TCP TTL:127 TOS:0x0 ID:19209 IpLen:20 DgmLen:48 DF
******S* Seq: 0x21DD8C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/17-18:47:57.800193 12.82.129.234:1182 -> 12.82.129.235:12345
TCP TTL:127 TOS:0x0 ID:19721 IpLen:20 DgmLen:48 DF
******S* Seq: 0x21DD8C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/17-18:48:09.811401 12.82.129.234:1182 -> 12.82.129.235:12345
TCP TTL:127 TOS:0x0 ID:20233 IpLen:20 DgmLen:48 DF
******S* Seq: 0x21DD8C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



I mean, this guy is right on top of me ;-)

Think I should go yell out the front door for him to knock it off?

This is some clown I see a lot of; he's always nearby, but he's never 
been this "close".


- John

-- 
The web page you seek
cannot be found here:
countless others await





More information about the Snort-users mailing list