[Snort-users] Snort has different IPs than Wireshark

Castle, Shane scastle at ...14946...
Tue Nov 30 15:00:13 EST 2010

This appears to be fixed in BASE-1.4.5. The bug ID in their bug tracker
is 2889623:

In an attempt to use the most recent code I am using the CVS source. It
still has issues.

I am getting the feeling that BASE is becoming unmaintained. Anybody
have info to the contrary?

Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: Billy Marshall [mailto:Billy.Marshall at ...9988...] 
Sent: Tuesday, November 30, 2010 12:43
To: Russ Combs
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort has different IPs than Wireshark

Hi Russ,
You are absolutely correct. After some investigation it is base causing
the issues. I discovered that the database has the addresses correctly
stored and a dump form tcpdump and snort produce correct outputs. A
colleague of mine and I discovered Base has a small bug. It is detailed
in the attached document.
Base version is 1.4.4


-Bill Marshall
Network Services -

Governor's Office of Information Technology

1575 Sherman Street, Ground Floor G19
Denver, CO 80203
Phone: 303-866-5209
Email:  billy.marshall at ...9988...

Information contained in this email is confidential and intended for the
addressee only. If you received this message and are not the intended
recipient, please delete the message and do not further disclose the

>>> Russ Combs <rcombs at ...1935...> 11/30/2010 11:26 AM >>>
Just looking at your pcap it is hard to say but Snort and Wireshark are
in agreement on the addresses so maybe it is a Base issue.

On Tue, Nov 30, 2010 at 12:28 PM, Billy Marshall
<Billy.Marshall at ...9988...> wrote:

	I have a massive amount of alerts that seem peculiar. Wireshark
payload dump from Snort has South African addresses but snort has RFC
1816 addresses.


	Base output

DOS tcpdump tcp LDP print zero length message denial of service attempt 

2010-11-24 06:00:01 

=32> :2049 

2> :646 



	whois info:

	Src Dst

	ZA, South Africa


	Any Ideas

	Increase Visibility of Your 3D Game App & Earn a Chance To Win
	Tap into the largest installed PC base & get more eyes on your
game by
	optimizing for Intel(R) Graphics Technology. Get started today
with the
	Intel(R) Software Partner Program. Five $500 cash prizes are up
for grabs.
	Snort-users mailing list
	Snort-users at lists.sourceforge.net
	Go to this URL to change user options or unsubscribe:
	Snort-users list archive:

More information about the Snort-users mailing list