[Snort-users] Snort has different IPs than Wireshark

Russ Combs rcombs at ...1935...
Tue Nov 30 13:26:03 EST 2010


Just looking at your pcap it is hard to say but Snort and Wireshark are in
agreement on the addresses so maybe it is a Base issue.

On Tue, Nov 30, 2010 at 12:28 PM, Billy Marshall <Billy.Marshall at ...9988...
> wrote:

>  I have a massive amount of alerts that seem peculiar. Wireshark payload
> dump from Snort has South African addresses but snort has  RFC
> 1816 addresses.
>
>
>
> Base output
>
> DOS tcpdump tcp LDP print zero length message denial of service attempt
>
> 2010-11-24 06:00:01
>
> 10.xxx.xxx.115<http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.93.115&netmask=32>
> :2049
>
> 10.xxx.xxx.15<http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.72.15&netmask32>
> :646
>
> TCP
>
>
> whois info:
>
> Src 163.197.215.3 Dst 163.196.128.15
>
> ZA, South Africa
>
>
>
> Any Ideas
>
>
> ------------------------------------------------------------------------------
> Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
> Tap into the largest installed PC base & get more eyes on your game by
> optimizing for Intel(R) Graphics Technology. Get started today with the
> Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
> http://p.sf.net/sfu/intelisp-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101130/5b07f096/attachment.html>


More information about the Snort-users mailing list