[Snort-users] (no subject)
bear at ...5950...
Fri May 31 13:00:03 EDT 2002
I forgot to copy the list on my reply, but then I made a typo on it, so
here we go again, corrected....
I interpreted the transactions listed as:
Webserver:80 -> Browser:3372 (Reply)
So I assume somewhere in the packets stream is a:
Browser:3372 -> Webserver:80 (original request)
If this assumption is correct, it could be a false positive.
I see false positives a lot when I'm reading about IDS and virus
signatures and the actual content delivered contains the signature, and
a port of 80.
Notice in the alert the internal address listed as the destination
appears to be receiving a reply from a server from which a request was
made? The source, not the destination, is on port 80.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Hugo Ferr
Sent: Friday, May 31, 2002 10:55 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] (no subject)
Snort LAN sensor
Here is the line from acid :
DOS MSDTC attempt 188.8.131.52:80 10.0.0.249:3372
How is this possible? 10.0.0.249 is a proxy machine taht doesn't have
ip. How somebody can connect to non-routable ip from the outside world?
Or should I interpret this line as something else?
Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Tracking #: 90DF56322D156443A1B23C8D2A518FF929784DB6
More information about the Snort-users