[Snort-users] Snort has different IPs than Wireshark
Castle, Shane
scastle at ...14946...
Tue Nov 30 15:00:13 EST 2010
This appears to be fixed in BASE-1.4.5. The bug ID in their bug tracker
is 2889623:
http://sourceforge.net/tracker/?func=detail&aid=2889623&group_id=103348&
atid=635582
In an attempt to use the most recent code I am using the CVS source. It
still has issues.
I am getting the feeling that BASE is becoming unmaintained. Anybody
have info to the contrary?
--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH
-----Original Message-----
From: Billy Marshall [mailto:Billy.Marshall at ...9988...]
Sent: Tuesday, November 30, 2010 12:43
To: Russ Combs
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort has different IPs than Wireshark
Hi Russ,
You are absolutely correct. After some investigation it is base causing
the issues. I discovered that the database has the addresses correctly
stored and a dump form tcpdump and snort produce correct outputs. A
colleague of mine and I discovered Base has a small bug. It is detailed
in the attached document.
Base version is 1.4.4
-Bill Marshall
Network Services -
Governor's Office of Information Technology
1575 Sherman Street, Ground Floor G19
Denver, CO 80203
Phone: 303-866-5209
Email: billy.marshall at ...9988...
************************************************************************
***
Information contained in this email is confidential and intended for the
addressee only. If you received this message and are not the intended
recipient, please delete the message and do not further disclose the
information.
>>> Russ Combs <rcombs at ...1935...> 11/30/2010 11:26 AM >>>
Just looking at your pcap it is hard to say but Snort and Wireshark are
in agreement on the addresses so maybe it is a Base issue.
On Tue, Nov 30, 2010 at 12:28 PM, Billy Marshall
<Billy.Marshall at ...9988...> wrote:
I have a massive amount of alerts that seem peculiar. Wireshark
payload dump from Snort has South African addresses but snort has RFC
1816 addresses.
Base output
DOS tcpdump tcp LDP print zero length message denial of service attempt
2010-11-24 06:00:01
10.xxx.xxx.115
<http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.93.115&netmask
=32> :2049
10.xxx.xxx.15
<http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.72.15&netmask3
2> :646
TCP
whois info:
Src 163.197.215.3 Dst 163.196.128.15
ZA, South Africa
Any Ideas
------------------------------------------------------------------------
------
Increase Visibility of Your 3D Game App & Earn a Chance To Win
$500!
Tap into the largest installed PC base & get more eyes on your
game by
optimizing for Intel(R) Graphics Technology. Get started today
with the
Intel(R) Software Partner Program. Five $500 cash prizes are up
for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
More information about the Snort-users
mailing list