[Snort-users] (no subject)

John Stroud bear at ...5950...
Fri May 31 13:00:03 EDT 2002

I forgot to copy the list on my reply, but then I made a typo on it, so
here we go again, corrected....

I interpreted the transactions listed as:
Webserver:80 -> Browser:3372    (Reply)

So I assume somewhere in the packets stream is a:
Browser:3372 -> Webserver:80    (original request)

If this assumption is correct, it could be a false positive.

I see false positives a lot when I'm reading about IDS and virus
signatures and the actual content delivered contains the signature, and
a port of 80.  

Notice in the alert the internal address listed as the destination
appears to be receiving a reply from a server from which a request was
made?  The source, not the destination, is on port 80.


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Hugo Ferr
Sent: Friday, May 31, 2002 10:55 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] (no subject)

Snort LAN sensor
Here is the line from acid :
      DOS MSDTC attempt

How is this possible? is a proxy machine taht doesn't have
ip. How somebody can connect to non-routable ip from the outside world?
Or should I interpret this line as something else?


Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Tracking #: 90DF56322D156443A1B23C8D2A518FF929784DB6

More information about the Snort-users mailing list