[Snort-users] [commercial] Re: Snort alarm sameip

Joel Esler jesler at ...1935...
Mon May 28 19:08:39 EDT 2012


If you could email the pcap to research at ...1935...

That would be great. B

--
Joel Esler

On May 28, 2012, at 6:11 PM, Philip Edwards <phil.e at ...15568...> wrote:

> 
> 
> Hello again,
> 
> phil at ...15654...:~$ tcpdump -r dhcp.cap | grep 0.0.0.0
> reading from file dhcp.cap, link-type EN10MB (Ethernet)
> 18:16:22.019719 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:1b:63:c7:06:bb (oui Unknown), length 300
> 18:17:25.761463 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:1b:63:c7:06:bb (oui Unknown), length 300
> 18:17:31.973436 IP philip-edwards-computer.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? b.b.6.0.7.c.e.f.f.f.3.6.b.1.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
> tcpdump: pcap_loop: truncated dump file; tried to read 60 captured bytes, only got 24
> 
> 
> 
> Phil.
> 
> 
> On 26 May 2012, at 18:53, Eric G wrote:
> 
>> On Sat, May 26, 2012 at 8:12 AM, Philip Edwards <phil.e at ...15568...> wrote:
>> 
>> Hi,
>> 
>> Howdy!
>>  
>> Can anyone hazard a guess why the sameip keyword is triggering an alarm on a DHCP request.
>> The source is 0.0.0.0 the destination is 255.255.255.255
>> The rule is the default: bad-traffic rule
>> 
>> alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)
>> 
>> I would venture to guess that the response from the list is going to be something along the lines of "can you provide us a pcap of the traffic?" That's kind of how folks roll around here.
>> 
>> --
>> Eric
>> 
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and 
>> threat landscape has changed and how IT managers can respond. Discussions 
>> will include endpoint security, mobile security and the latest in malware 
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120528/d149d5ef/attachment.html>


More information about the Snort-users mailing list