[Snort-users] Snort has different IPs than Wireshark

Billy Marshall Billy.Marshall at ...9988...
Tue Nov 30 12:28:28 EST 2010


I have a massive amount of alerts that seem peculiar. Wireshark payload
dump from Snort has South African addresses but snort has  RFC 1816
addresses.

 

Base output


DOS tcpdump tcp LDP print zero length message denial of service attempt

2010-11-24 06:00:01 
10.xxx.xxx.115 (
http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.93.115&netmask=32
):2049 
10.xxx.xxx.15 (
http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.72.15&netmask32
):646 
TCP 

 
whois info:

Src 163.197.215.3 Dst 163.196.128.15

ZA, South Africa

 

Any Ideas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101130/6d431fb1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20101126-DOS tcpdump tcp LDP print zero length	message denial of servi.pcap
Type: application/octet-stream
Size: 210 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101130/6d431fb1/attachment.obj>


More information about the Snort-users mailing list