[Snort-users] Snort has different IPs than Wireshark
scastle at ...14946...
Tue Nov 30 15:00:13 EST 2010
This appears to be fixed in BASE-1.4.5. The bug ID in their bug tracker
In an attempt to use the most recent code I am using the CVS source. It
still has issues.
I am getting the feeling that BASE is becoming unmaintained. Anybody
have info to the contrary?
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH
From: Billy Marshall [mailto:Billy.Marshall at ...9988...]
Sent: Tuesday, November 30, 2010 12:43
To: Russ Combs
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort has different IPs than Wireshark
You are absolutely correct. After some investigation it is base causing
the issues. I discovered that the database has the addresses correctly
stored and a dump form tcpdump and snort produce correct outputs. A
colleague of mine and I discovered Base has a small bug. It is detailed
in the attached document.
Base version is 1.4.4
Network Services -
Governor's Office of Information Technology
1575 Sherman Street, Ground Floor G19
Denver, CO 80203
Email: billy.marshall at ...9988...
Information contained in this email is confidential and intended for the
addressee only. If you received this message and are not the intended
recipient, please delete the message and do not further disclose the
>>> Russ Combs <rcombs at ...1935...> 11/30/2010 11:26 AM >>>
Just looking at your pcap it is hard to say but Snort and Wireshark are
in agreement on the addresses so maybe it is a Base issue.
On Tue, Nov 30, 2010 at 12:28 PM, Billy Marshall
<Billy.Marshall at ...9988...> wrote:
I have a massive amount of alerts that seem peculiar. Wireshark
payload dump from Snort has South African addresses but snort has RFC
DOS tcpdump tcp LDP print zero length message denial of service attempt
Src 18.104.22.168 Dst 22.214.171.124
ZA, South Africa
Increase Visibility of Your 3D Game App & Earn a Chance To Win
Tap into the largest installed PC base & get more eyes on your
optimizing for Intel(R) Graphics Technology. Get started today
Intel(R) Software Partner Program. Five $500 cash prizes are up
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users