[Snort-users] (no subject)

Wirth, Jeff WirthJe at ...4876...
Fri May 31 12:54:03 EDT 2002

From: Hugo Ferr [mailto:snortgrp at ...125...]
> Snort LAN sensor
> Here is the line from acid :
> Source
> destination
>       DOS MSDTC attempt        
> How is this possible? is a proxy machine taht 
> doesn't have public

Is your snort box inside your FW?  If so, I think what you are seeing here
is a false alarm.  The source port on the packet is 80 (HTTP) and you
mentioned that the box is a proxy server, so if you are snorting
after NATing occurs this would explain things.

> ip. How somebody can connect to non-routable ip from the 
> outside world?
> Or should I interpret this line as something else?

- Jeff

More information about the Snort-users mailing list