[Snort-users] [commercial] Re: Snort alarm sameip

Philip Edwards phil.e at ...15568...
Tue May 29 06:58:34 EDT 2012


In the payload section the server IP =, your IP, Client IP and relay IP are all the same so that's the answer.
Thanks very much.

Phil.



On 26 May 2012, at 17:14, Balasubramaniam Natarajan wrote:

> Strange what do you see in the payload section ?
> 
> On Sat, May 26, 2012 at 5:42 PM, Philip Edwards <phil.e at ...15568...> wrote:
> 
> Hi,
> 
> Can anyone hazard a guess why the sameip keyword is triggering an alarm on a DHCP request.
> The source is 0.0.0.0 the destination is 255.255.255.255
> The rule is the default: bad-traffic rule
> 
> alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)
> 
> phil at ...15654...:~$ snort --version
> 
>   ,,_     -*> Snort! <*-
>  o"  )~   Version 2.9.2 IPv6 GRE (Build 78)
>   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
>           Using libpcap version 1.1.1
>           Using PCRE version: 8.12 2011-01-15
>           Using ZLIB version: 1.2.3.4
> 
> 
> 
> I could add exceptions to filter this out but would i like to know why it's being triggered.
> 
> Thanks
> 
> Phil Edwards
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> 
> -- 
> Regards,
> Balasubramaniam Natarajan
> www.etutorshop.com/moodle/
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120529/ef6a1571/attachment.html>


More information about the Snort-users mailing list