OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: John Stroud (bearamberorder.com)
Date: Fri May 31 2002 - 14:59:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I forgot to copy the list on my reply, but then I made a typo on it, so
    here we go again, corrected....

    I interpreted the transactions listed as:
    Webserver:80 -> Browser:3372 (Reply)

    So I assume somewhere in the packets stream is a:
    Browser:3372 -> Webserver:80 (original request)

    If this assumption is correct, it could be a false positive.

    I see false positives a lot when I'm reading about IDS and virus
    signatures and the actual content delivered contains the signature, and
    a port of 80.

    Notice in the alert the internal address listed as the destination
    appears to be receiving a reply from a server from which a request was
    made? The source, not the destination, is on port 80.

    J.

    -----Original Message-----
    From: snort-users-adminlists.sourceforge.net
    [mailto:snort-users-adminlists.sourceforge.net] On Behalf Of Hugo Ferr
    Sent: Friday, May 31, 2002 10:55 AM
    To: snort-userslists.sourceforge.net
    Subject: [Snort-users] (no subject)

    Snort LAN sensor
    Here is the line from acid :
    Source
    destination
          DOS MSDTC attempt 207.35.159.36:80 10.0.0.249:3372
    TCP

    How is this possible? 10.0.0.249 is a proxy machine taht doesn't have
    public
    ip. How somebody can connect to non-routable ip from the outside world?
    Or should I interpret this line as something else?

    _______________________________________________________________

    Don't miss the 2002 Sprint PCS Application Developer's Conference
    August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users

    Tracking #: 90DF56322D156443A1B23C8D2A518FF929784DB6

    _______________________________________________________________

    Don't miss the 2002 Sprint PCS Application Developer's Conference
    August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users