Snort mailing list archives

Previous By Date Next
Previous By Thread Next

What is snort doing to the packets

From: "Bagwell, Steve" <sbagwell () above net>
Date: Fri, 17 Oct 2003 00:48:11 -0400



We have been getting alot of ICMP PING CyberKit 2.2 Windows alerts. The
reason behind the alert is easy enough but the Src IP and Dest IP are
confusing. The alerts scroll across the screen most of the night but are
not worth investigating because neither the Src IP or Dest IP are ever
reachable. I started capturing packets to see what was going on and all
the packets which would trigger this type of alert have legitimate Src IP
and Dest IP. What could be happening after snort runs them through the
rules? 

One theory is : 

      The Src IP is broadcasting it's internal IP space. 

Alert from E-Sentinel:

 Event - snort: [ID 702911 local5.alert] [1:483:2] ICMP PING CyberKit 2.2
Windows
 [Classification: Misc activity] [Priority: 3]: {ICMP} 192.168.100.107 ->
64.124.244.87 -


Thanks

Steve



-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise 
Linux in the Boardroom; in the Front Office; & in the Server Room 
http://www.enterpriselinuxforum.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: