[Snort-users] Snort alarm sameip

Philip Edwards phil.e at ...15568...
Sat May 26 08:12:15 EDT 2012


Hi,

Can anyone hazard a guess why the sameip keyword is triggering an alarm on a DHCP request.
The source is 0.0.0.0 the destination is 255.255.255.255 
The rule is the default: bad-traffic rule

alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)

phil at ...15654...:~$ snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2 IPv6 GRE (Build 78) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.3.4



I could add exceptions to filter this out but would i like to know why it's being triggered.

Thanks

Phil Edwards






More information about the Snort-users mailing list