OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Wirth, Jeff (WirthJeDNB.com)
Date: Fri May 31 2002 - 14:53:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    From: Hugo Ferr [mailto:snortgrphotmail.com]
    > Snort LAN sensor
    > Here is the line from acid :
    > Source
    > destination
    > DOS MSDTC attempt 207.35.159.36:80
    > 10.0.0.249:3372
    > TCP
    >
    >
    > How is this possible? 10.0.0.249 is a proxy machine taht
    > doesn't have public

    Is your snort box inside your FW? If so, I think what you are seeing here
    is a false alarm. The source port on the packet is 80 (HTTP) and you
    mentioned that the 10.0.0.249 box is a proxy server, so if you are snorting
    after NATing occurs this would explain things.

    > ip. How somebody can connect to non-routable ip from the
    > outside world?
    > Or should I interpret this line as something else?
    >

    - Jeff

    _______________________________________________________________

    Don't miss the 2002 Sprint PCS Application Developer's Conference
    August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users