[Snort-users] (no subject)
snortgrp at ...125...
Fri May 31 13:21:02 EDT 2002
my snort sniffs lan nic of the firewall, but I think it sees the traffic
before it is nated.
----- Original Message -----
From: "Wirth, Jeff" <WirthJe at ...4876...>
To: "'Hugo Ferr'" <snortgrp at ...125...>;
<snort-users at lists.sourceforge.net>
Sent: Friday, May 31, 2002 3:53 PM
Subject: RE: [Snort-users] (no subject)
> From: Hugo Ferr [mailto:snortgrp at ...125...]
> > Snort LAN sensor
> > Here is the line from acid :
> > Source
> > destination
> > DOS MSDTC attempt 220.127.116.11:80
> > 10.0.0.249:3372
> > TCP
> > How is this possible? 10.0.0.249 is a proxy machine taht
> > doesn't have public
> Is your snort box inside your FW? If so, I think what you are seeing here
> is a false alarm. The source port on the packet is 80 (HTTP) and you
> mentioned that the 10.0.0.249 box is a proxy server, so if you are
> after NATing occurs this would explain things.
> > ip. How somebody can connect to non-routable ip from the
> > outside world?
> > Or should I interpret this line as something else?
> - Jeff
More information about the Snort-users