Home page logo
/

snort logo Snort mailing list archives

Snort has different IPs than Wireshark
From: "Billy Marshall" <Billy.Marshall () state co us>
Date: Tue, 30 Nov 2010 10:28:28 -0700


I have a massive amount of alerts that seem peculiar. Wireshark payload
dump from Snort has South African addresses but snort has  RFC 1816
addresses.

 

Base output


DOS tcpdump tcp LDP print zero length message denial of service attempt

2010-11-24 06:00:01 
10.xxx.xxx.115 (
http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.93.115&amp;netmask=32
):2049 
10.xxx.xxx.15 (
http://165.127.171.36/base/base_stat_ipaddr.php?ip=10.60.72.15&amp;netmask32
):646 
TCP 

 
whois info:

Src 163.197.215.3 Dst 163.196.128.15

ZA, South Africa

 

Any Ideas

Attachment: 20101126-DOS tcpdump tcp LDP print zero length message denial of servi.pcap
Description:

------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]