[Snort-users] (no subject)

Wirth, Jeff WirthJe at ...4876...
Fri May 31 12:54:03 EDT 2002


From: Hugo Ferr [mailto:snortgrp at ...125...]
> Snort LAN sensor
> Here is the line from acid :
> Source
> destination
>       DOS MSDTC attempt         207.35.159.36:80        
> 10.0.0.249:3372
> TCP
> 
> 
> How is this possible? 10.0.0.249 is a proxy machine taht 
> doesn't have public

Is your snort box inside your FW?  If so, I think what you are seeing here
is a false alarm.  The source port on the packet is 80 (HTTP) and you
mentioned that the 10.0.0.249 box is a proxy server, so if you are snorting
after NATing occurs this would explain things.

> ip. How somebody can connect to non-routable ip from the 
> outside world?
> Or should I interpret this line as something else?
> 

- Jeff




More information about the Snort-users mailing list