|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Hugo Ferr (snortgrp
hotmail.com)Date: Fri May 31 2002 - 15:20:15 CDT
my snort sniffs lan nic of the firewall, but I think it sees the traffic
before it is nated.
----- Original Message -----
From: "Wirth, Jeff" <WirthJeDNB.com>
To: "'Hugo Ferr'" <snortgrphotmail.com>;
<snort-userslists.sourceforge.net>
Sent: Friday, May 31, 2002 3:53 PM
Subject: RE: [Snort-users] (no subject)
> From: Hugo Ferr [mailto:snortgrphotmail.com]
> > Snort LAN sensor
> > Here is the line from acid :
> > Source
> > destination
> > DOS MSDTC attempt 207.35.159.36:80
> > 10.0.0.249:3372
> > TCP
> >
> >
> > How is this possible? 10.0.0.249 is a proxy machine taht
> > doesn't have public
>
> Is your snort box inside your FW? If so, I think what you are seeing here
> is a false alarm. The source port on the packet is 80 (HTTP) and you
> mentioned that the 10.0.0.249 box is a proxy server, so if you are
snorting
> after NATing occurs this would explain things.
>
> > ip. How somebody can connect to non-routable ip from the
> > outside world?
> > Or should I interpret this line as something else?
> >
>
> - Jeff
>
_______________________________________________________________
Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]