<div dir="ltr"><div><div>Here you are.<br><br></div>From Snorby:<br><br><a href="http://i57.tinypic.com/egr4ms.png">http://i57.tinypic.com/egr4ms.png</a><br><br><br><br><br></div>From Wireshark:<br><br><a href="http://i57.tinypic.com/21vnt.png">http://i57.tinypic.com/21vnt.png</a><br><br><div><div><div><div class="gmail_extra"><br><div class="gmail_quote"><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>---------- จดหมายที่ถูกส่งต่อ ----------<br>From: "Al Lewis (allewi)" <<a href="mailto:allewi@...589...">allewi@...589...</a>><br>To: Jutichai Thongkrachai <<a href="mailto:thsecmaniac@...11827...">thsecmaniac@...11827...</a>>, "<a href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a>" <<a href="mailto:snort-users@...3204...ts.sourceforge.net">snort-users@lists.sourceforge.net</a>><br>Cc: <br>Date: Tue, 27 Jan 2015 11:05:12 +0000<br>Subject: Re: [Snort-users] Cisco Proprietary Protocol and Snort<br>





<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">Can you provide a sample of the traffic?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:rgb(31,73,125)">Albert Lewis<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:rgb(136,136,136)">QA Software Engineer<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Georgia","serif";color:rgb(153,153,153)">SOURCE</span><b><span style="font-family:"Georgia","serif";color:red">fire</span></b><span style="font-family:"Georgia","serif";color:rgb(153,153,153)">, Inc.
</span><span style="font-family:"Georgia","serif";color:rgb(136,136,136)">now part of </span>
<b><span style="font-family:"Georgia","serif";color:rgb(49,132,155)">Cisco</span></b><span style="font-family:"Georgia","serif";color:rgb(136,136,136)"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:rgb(153,153,153)">9780 Patuxent Woods Drive<br>
Columbia, MD 21046 </span><span style="font-family:"Candara","sans-serif";color:rgb(136,136,136)"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:rgb(153,153,153)">Phone: (office) </span><span style="font-family:"Candara","sans-serif";color:rgb(31,73,125)">443.430.7112<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:rgb(153,153,153)">Email:
</span><span style="font-family:"Candara","sans-serif";color:rgb(31,73,125)"><a href="mailto:allewi@...589..." target="_blank">allewi@...589...</a></span><span style="font-family:"Candara","sans-serif";color:rgb(79,129,189)"> </span><span style="font-family:"Candara","sans-serif";color:rgb(31,73,125)"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10pt;font-family:"Tahoma","sans-serif""> Jutichai Thongkrachai [mailto:<a href="mailto:thsecmaniac@...11827..." target="_blank">thsecmaniac@...11827...</a>]
<br>
<b>Sent:</b> Monday, January 26, 2015 11:46 PM<br>
<b>To:</b> <a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@lists.sourceforge.net</a><br>
<b>Subject:</b> [Snort-users] Cisco Proprietary Protocol and Snort<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt">Hello,<u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12pt">My Snort keep telling me that it detect "snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol" (Sid:450,Gid:116) hourly which come from my Cisco Switch send Multicast Packet to the Network with its proprietary
 PIM protocol (sparse-dense-mode).<u></u><u></u></p>
</div>
<p class="MsoNormal">I'm curious that my Snort cannot decode Cisco PIM Protocol. So,it detect as
<br>
"WARNING: BAD-TRAFFIC Bad IP protocol" Is it possible?<u></u><u></u></p>
</div>
</div>
</div>

<br>------------------------------------------------------------------------------<br>
Dive into the World of Parallel Programming. The Go Parallel Website,<br>
sponsored by Intel and developed in partnership with Slashdot Media, is your<br>
hub for all things parallel software development, from weekly thought<br>
leadership blogs to news, videos, case studies, tutorials and more. Take a<br>
look and join the conversation now. <a href="http://goparallel.sourceforge.net/" target="_blank">http://goparallel.sourceforge.net/</a><br>_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...4626...ceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
<br></blockquote></div><br></div></div></div></div></div>