[Snort-users] Snort alarm sameip
phil.e at ...15568...
Sat May 26 08:12:15 EDT 2012
Can anyone hazard a guess why the sameip keyword is triggering an alarm on a DHCP request.
The source is 0.0.0.0 the destination is 255.255.255.255
The rule is the default: bad-traffic rule
alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)
phil at ...15654...:~$ snort --version
,,_ -*> Snort! <*-
o" )~ Version 2.9.2 IPv6 GRE (Build 78)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.12 2011-01-15
Using ZLIB version: 184.108.40.206
I could add exceptions to filter this out but would i like to know why it's being triggered.
More information about the Snort-users