[Snort-users] (no subject)

Hugo Ferr snortgrp at ...125...
Fri May 31 13:21:02 EDT 2002


my snort sniffs lan nic of the firewall, but I think it sees the traffic
before it is nated.
----- Original Message -----
From: "Wirth, Jeff" <WirthJe at ...4876...>
To: "'Hugo Ferr'" <snortgrp at ...125...>;
<snort-users at lists.sourceforge.net>
Sent: Friday, May 31, 2002 3:53 PM
Subject: RE: [Snort-users] (no subject)


> From: Hugo Ferr [mailto:snortgrp at ...125...]
> > Snort LAN sensor
> > Here is the line from acid :
> > Source
> > destination
> >       DOS MSDTC attempt         207.35.159.36:80
> > 10.0.0.249:3372
> > TCP
> >
> >
> > How is this possible? 10.0.0.249 is a proxy machine taht
> > doesn't have public
>
> Is your snort box inside your FW?  If so, I think what you are seeing here
> is a false alarm.  The source port on the packet is 80 (HTTP) and you
> mentioned that the 10.0.0.249 box is a proxy server, so if you are
snorting
> after NATing occurs this would explain things.
>
> > ip. How somebody can connect to non-routable ip from the
> > outside world?
> > Or should I interpret this line as something else?
> >
>
> - Jeff
>




More information about the Snort-users mailing list