OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tony Scalzitti (tonyscalzitti.org)
Date: Sat Feb 09 2002 - 17:08:49 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I did the same thing when writing SnortFE. The field is the 32-bit integer
    value of the IP. In fact it reminded me of the old exploit to bypass
    filters etc. that use the dot notation. Windows will let you use them in
    place of the "normal" IP and it was possible to use them as a URL to avoid
    "blocking" proxies etc.

    -T

    ----- Original Message -----
    From: "Warrick FitzGerald" <wfitzgeraldlivetechnology.com>
    To: <Snort-userslists.sourceforge.net>
    Sent: Saturday, February 09, 2002 4:03 PM
    Subject: Re: [Snort-users] Sid ?

    > My Apologies,
    >
    > It turns out my "0" ip address is caused by the GUI client I am using to
    > access MySQL. The integer value seems to be to high for it to deal with.
    >
    > THanks
    > Warrick
    >
    > ----- Original Message -----
    > From: "Warrick FitzGerald" <wfitzgeraldlivetechnology.com>
    > To: <Snort-userslists.sourceforge.net>
    > Sent: Saturday, February 09, 2002 2:58 PM
    > Subject: Re: [Snort-users] Sid ?
    >
    >
    > > Ahh, thanks for the help. One more though :)
    > >
    > > The ip_src and ip_dst addresses are often "0" which is the default. Is
    > this
    > > a bug / problem or am I not understanding the data model ?
    > >
    > > Select looks like this :
    > >
    > > SELECT `iphdr`.`ip_src`,
    > > `iphdr`.`ip_dst`,
    > > `tcphdr`.`tcp_sport`,
    > > `tcphdr`.`tcp_dport`,
    > > `tcphdr`.`tcp_seq`,
    > > `tcphdr`.`tcp_ack`,
    > > `data`.`data_payload`
    > > FROM `data`
    > > INNER JOIN `tcphdr` ON (`data`.`cid` = `tcphdr`.`cid`)
    > > INNER JOIN `iphdr` ON (`tcphdr`.`cid` = `iphdr`.`cid`)
    > >
    > > However looking at the iphdr table only reveals exactly the same thing ?
    > >
    > > Thanks
    > > Warrick FitzGerald
    > > LiveTechnology Inc.
    > >
    > >
    > >
    > > _______________________________________________
    > > Snort-users mailing list
    > > Snort-userslists.sourceforge.net
    > > Go to this URL to change user options or unsubscribe:
    > > https://lists.sourceforge.net/lists/listinfo/snort-users
    > > Snort-users list archive:
    > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
    > >
    >
    >
    > _______________________________________________
    > Snort-users mailing list
    > Snort-userslists.sourceforge.net
    > Go to this URL to change user options or unsubscribe:
    > https://lists.sourceforge.net/lists/listinfo/snort-users
    > Snort-users list archive:
    > http://www.geocrawler.com/redir-sf.php3?list=snort-users
    >

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users