[Snort-users] Snort alarm sameip

Joel Esler jesler at ...1935...
Sat May 26 16:47:52 EDT 2012

You are correct. 

Good job. I should add it to the drinking game, but I'm afraid it would be irresponsible to encourage that much intake. 

Joel Esler

On May 26, 2012, at 1:53 PM, Eric G <eric at ...15503...> wrote:

> On Sat, May 26, 2012 at 8:12 AM, Philip Edwards <phil.e at ...15568...> wrote:
> Hi,
> Howdy!
> Can anyone hazard a guess why the sameip keyword is triggering an alarm on a DHCP request.
> The source is the destination is
> The rule is the default: bad-traffic rule
> alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)
> I would venture to guess that the response from the list is going to be something along the lines of "can you provide us a pcap of the traffic?" That's kind of how folks roll around here.
> --
> Eric
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120526/46e30c52/attachment.html>

More information about the Snort-users mailing list