[Snort-users] Snort alarm sameip

Eric G eric at ...15503...
Sat May 26 13:53:50 EDT 2012


On Sat, May 26, 2012 at 8:12 AM, Philip Edwards <phil.e at ...15568...> wrote:

>
> Hi,
>

Howdy!


> Can anyone hazard a guess why the sameip keyword is triggering an alarm on
> a DHCP request.
> The source is 0.0.0.0 the destination is 255.255.255.255
> The rule is the default: bad-traffic rule
>
> alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip;
> reference:bugtraq,2666; reference:cve,1999-0016; reference:url,
> www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527;
> rev:8;)


I would venture to guess that the response from the list is going to be
something along the lines of "can you provide us a pcap of the traffic?"
That's kind of how folks roll around here.

--
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120526/3dfcdd84/attachment.html>


More information about the Snort-users mailing list