[Snort-users] Snort has different IPs than Wireshark

Castle, Shane scastle at ...14946...
Tue Nov 30 15:00:13 EST 2010


This appears to be fixed in BASE-1.4.5. The bug ID in their bug tracker
is 2889623:
http://sourceforge.net/tracker/?func=detail&aid=2889623&group_id=103348&
atid=635582 

In an attempt to use the most recent code I am using the CVS source. It
still has issues.

I am getting the feeling that BASE is becoming unmaintained. Anybody
have info to the contrary?

-- 
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-----Original Message-----
From: Billy Marshall [mailto:Billy.Marshall at ...9988...] 
Sent: Tuesday, November 30, 2010 12:43
To: Russ Combs
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort has different IPs than Wireshark

Hi Russ,
You are absolutely correct. After some investigation it is base causing
the issues. I discovered that the database has the addresses correctly
stored and a dump form tcpdump and snort produce correct outputs. A
colleague of mine and I discovered Base has a small bug. It is detailed
in the attached document.
Base version is 1.4.4

 
 

-Bill Marshall
Network Services -

Governor's Office of Information Technology

1575 Sherman Street, Ground Floor G19
Denver, CO 80203
Phone: 303-866-5209
Email:  billy.marshall at ...9988...

************************************************************************
***
Information contained in this email is confidential and intended for the
addressee only. If you received this message and are not the intended
recipient, please delete the message and do not further disclose the
information. 



>>> Russ Combs <rcombs at ...1935...> 11/30/2010 11:26 AM >>>
Just looking at your pcap it is hard to say but Snort and Wireshark are
in agreement on the addresses so maybe it is a Base issue.


On Tue, Nov 30, 2010 at 12:28 PM, Billy Marshall
<Billy.Marshall at ...9988...> wrote:


	I have a massive amount of alerts that seem peculiar. Wireshark
payload dump from Snort has South African addresses but snort has RFC
1816 addresses.

	

	Base output

DOS tcpdump tcp LDP print zero length message denial of service attempt 

2010-11-24 06:00:01 

10.xxx.xxx.115
<http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.93.115&netmask
=32> :2049 

10.xxx.xxx.15
<http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.72.15&netmask3
2> :646 

TCP 

	

	whois info:

	Src 163.197.215.3 Dst 163.196.128.15

	ZA, South Africa

	

	Any Ideas


	
------------------------------------------------------------------------
------
	Increase Visibility of Your 3D Game App & Earn a Chance To Win
$500!
	Tap into the largest installed PC base & get more eyes on your
game by
	optimizing for Intel(R) Graphics Technology. Get started today
with the
	Intel(R) Software Partner Program. Five $500 cash prizes are up
for grabs.
	http://p.sf.net/sfu/intelisp-dev2dev
	_______________________________________________
	Snort-users mailing list
	Snort-users at lists.sourceforge.net
	Go to this URL to change user options or unsubscribe:
	https://lists.sourceforge.net/lists/listinfo/snort-users
	Snort-users list archive:
	http://www.geocrawler.com/redir-sf.php3?list=snort-users
	






More information about the Snort-users mailing list