Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: (no subject)

From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Fri, 31 May 2002 15:53:11 -0400
From: Hugo Ferr [mailto:snortgrp () hotmail com]

Snort LAN sensor
Here is the line from acid :
Source
destination
      DOS MSDTC attempt         207.35.159.36:80        
10.0.0.249:3372
TCP


How is this possible? 10.0.0.249 is a proxy machine taht 
doesn't have public


Is your snort box inside your FW?  If so, I think what you are seeing here
is a false alarm.  The source port on the packet is 80 (HTTP) and you
mentioned that the 10.0.0.249 box is a proxy server, so if you are snorting
after NATing occurs this would explain things.


ip. How somebody can connect to non-routable ip from the 
outside world?
Or should I interpret this line as something else?



- Jeff

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: