[Snort-users] Cisco Proprietary Protocol and Snort

Jutichai Thongkrachai thsecmaniac at ...11827...
Tue Jan 27 06:34:04 EST 2015


Here you are.

>From Snorby:

http://i57.tinypic.com/egr4ms.png




>From Wireshark:

http://i57.tinypic.com/21vnt.png




> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: "Al Lewis (allewi)" <allewi at ...589...>
> To: Jutichai Thongkrachai <thsecmaniac at ...11827...>, "
> snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
> Cc:
> Date: Tue, 27 Jan 2015 11:05:12 +0000
> Subject: Re: [Snort-users] Cisco Proprietary Protocol and Snort
>
> Can you provide a sample of the traffic?
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...589...
>
>
>
> *From:* Jutichai Thongkrachai [mailto:thsecmaniac at ...11827...]
> *Sent:* Monday, January 26, 2015 11:46 PM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] Cisco Proprietary Protocol and Snort
>
>
>
> Hello,
>
> My Snort keep telling me that it detect "snort_decoder: WARNING:
> BAD-TRAFFIC Bad IP protocol" (Sid:450,Gid:116) hourly which come from my
> Cisco Switch send Multicast Packet to the Network with its proprietary PIM
> protocol (sparse-dense-mode).
>
> I'm curious that my Snort cannot decode Cisco PIM Protocol. So,it detect
> as
> "WARNING: BAD-TRAFFIC Bad IP protocol" Is it possible?
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150127/fcb0563e/attachment.html>


More information about the Snort-users mailing list