[Snort-users] [commercial] Re: Snort alarm sameip

Philip Edwards phil.e at ...15568...
Mon May 28 18:11:49 EDT 2012



Hello again,

phil at ...15654...:~$ tcpdump -r dhcp.cap | grep 0.0.0.0
reading from file dhcp.cap, link-type EN10MB (Ethernet)
18:16:22.019719 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:1b:63:c7:06:bb (oui Unknown), length 300
18:17:25.761463 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:1b:63:c7:06:bb (oui Unknown), length 300
18:17:31.973436 IP philip-edwards-computer.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? b.b.6.0.7.c.e.f.f.f.3.6.b.1.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
tcpdump: pcap_loop: truncated dump file; tried to read 60 captured bytes, only got 24



Phil.


On 26 May 2012, at 18:53, Eric G wrote:

> On Sat, May 26, 2012 at 8:12 AM, Philip Edwards <phil.e at ...15568...> wrote:
> 
> Hi,
> 
> Howdy!
>  
> Can anyone hazard a guess why the sameip keyword is triggering an alarm on a DHCP request.
> The source is 0.0.0.0 the destination is 255.255.255.255
> The rule is the default: bad-traffic rule
> 
> alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)
> 
> I would venture to guess that the response from the list is going to be something along the lines of "can you provide us a pcap of the traffic?" That's kind of how folks roll around here.
> 
> --
> Eric
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120528/b21d0f3e/attachment.html>


More information about the Snort-users mailing list