[Snort-users] (no subject)
WirthJe at ...4876...
Fri May 31 12:54:03 EDT 2002
From: Hugo Ferr [mailto:snortgrp at ...125...]
> Snort LAN sensor
> Here is the line from acid :
> DOS MSDTC attempt 220.127.116.11:80
> How is this possible? 10.0.0.249 is a proxy machine taht
> doesn't have public
Is your snort box inside your FW? If so, I think what you are seeing here
is a false alarm. The source port on the packet is 80 (HTTP) and you
mentioned that the 10.0.0.249 box is a proxy server, so if you are snorting
after NATing occurs this would explain things.
> ip. How somebody can connect to non-routable ip from the
> outside world?
> Or should I interpret this line as something else?
More information about the Snort-users