[Snort-users] (no subject)

John Stroud bear at ...5950...
Fri May 31 13:00:03 EDT 2002


I forgot to copy the list on my reply, but then I made a typo on it, so
here we go again, corrected....

I interpreted the transactions listed as:
Webserver:80 -> Browser:3372    (Reply)

So I assume somewhere in the packets stream is a:
Browser:3372 -> Webserver:80    (original request)

If this assumption is correct, it could be a false positive.

I see false positives a lot when I'm reading about IDS and virus
signatures and the actual content delivered contains the signature, and
a port of 80.  

Notice in the alert the internal address listed as the destination
appears to be receiving a reply from a server from which a request was
made?  The source, not the destination, is on port 80.

J.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Hugo Ferr
Sent: Friday, May 31, 2002 10:55 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] (no subject)

Snort LAN sensor
Here is the line from acid :
Source
destination
      DOS MSDTC attempt         207.35.159.36:80        10.0.0.249:3372
TCP


How is this possible? 10.0.0.249 is a proxy machine taht doesn't have
public
ip. How somebody can connect to non-routable ip from the outside world?
Or should I interpret this line as something else?

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Tracking #: 90DF56322D156443A1B23C8D2A518FF929784DB6





More information about the Snort-users mailing list