[Snort-users] Snort 2.8.6 generatin invalid ip options in events?

Bruce A. Sanders basanders at ...14846...
Fri Jun 4 15:52:48 EDT 2010


Andy,  
I decoded the data portion (Base64) to URL:http://iplane.cs.washington.edu/pl_measurement.html Contact:iplane-support at ...14887... Took a look and it may provide more clues.

Bruce Sanders
ProObject
7467 Ridge Rd., Suite 330
Hanover, MD 21076
Office: 410-993-1699 x 170
Fax:410-993-1691
      _____  

  From: Joel Esler [mailto:jesler at ...1935...]
To: Andy Berryman [mailto:aberryman at ...14765...]
Cc: <snort-users at lists.sourceforge.net> [mailto:snort-users at ...3471...ge.net]
Sent: Fri, 04 Jun 2010 14:48:13 -0400
Subject: Re: [Snort-users] Snort 2.8.6 generatin invalid ip options in events?

  
Is this a dump out of the database or something?

--
  
Joel Esler  
Sent from my iPhone  

On Jun 4, 2010, at 2:33 PM, "Andy Berryman" <aberryman at ...14765...> wrote:

  
    
  
  
I'm having an issue with snort 2.8.6 that I have really no clue on how to even start trying to figure out. So, besides Google, you guys are my first hope.   
   
I'm getting events from snort that have invalid ip options in the event. Hoping someone can point me in the right direction on how/where to start.   
   
Here's the event.   
   
iphdr:1406410883,3436490497,4,15,0,264,44627,0,0,26,1,12955  
ipopt:0,0,1,0,  
ipopt:1,0,7,37,KAoBZQTCsdFOw/sbIcP7G5o+KHxaPihwpkDWkZJA18PRkOgJpg==  
icmphdr:8,0,19178  
data:VVJMOmh0dHA6Ly9pcGxhbmUuY3Mud2FzaGluZ3Rvbi5lZHUvcGxfbWVhc3VyZW1lbnQuaHRt  
bCBDb250YWN0OmlwbGFuZS1zdXBwb3J0QGNzLndhc2hpbmd0b24uZWR1AAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==  
   
Thanks,  
Andy Berryman  
     _____  

    
This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.  
    _____  

       
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo    
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users      
   
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100604/d9fdb6fe/attachment.html>


More information about the Snort-users mailing list