[Snort-users] (no subject)

Marc Quibell mquibell at ...7759...
Thu Sep 18 06:55:02 EDT 2003


Broadcast addresses can't show up as a source. Must be your reporting is a
little whacky...What are the destinations?

Marc

>Message: 2
>From: "Edward Marshall" <edtech at ...9974...>
>To: <snort-users at lists.sourceforge.net>
>Date: Thu, 18 Sep 2003 05:59:43 -0400
>Subject: [Snort-users] Broadcast address???>

>This is a multi-part message in MIME format.

>------=_NextPart_000_0001_01C37DAA.0F55F630
>Content-Type: text/plain;
     charset="us-ascii"
>Content-Transfer-Encoding: 7bit

>Hi Guys, after running Snort 2.0.1 on a corporate network 192.168.2.0/24
>for a week, I used Sawmill to analyze the Snort log files (Alert,
>Portscan.log and Scan.log).
>I noticed that the following source IP addresses showed up 192.168.2.255
>(with 6,296 hits) and 255.255.255.255 (with 626 hits). My question is,
>isn't these two IP addresses - broadcast addresses???  How can a
>broadcast address show up as a source IP address???

>Any assistance would be greatly appreciated!!!


>Thanks

>Eddie








More information about the Snort-users mailing list