[Snort-users] Same src/dst

From: Brei, Matt <mbrei(at)medclaiminc.com>
Date: Sun Mar 30 2003 - 19:11:19 EST

   I have been seeing a lot of these "same SRC/DST" alerts even after adding two local rules to pass them. I think these alerts are due to the fact that there is a DNS server running on this machine and it is using itself for its name resolution.
  

   #3-(4-1434)   
   BAD TRAFFIC same SRC/DST   
   2003-03-30 18:49:29   
   10.13.110.254:1026   
   10.13.110.254:53   
   UDP   
   #4-(4-1435)
   BAD TRAFFIC same SRC/DST

   2003-03-30 18:49:29    
   10.13.110.254:53    
   10.13.110.254:1026    

   UDP The two local rules are as follows:

  pass ip 10.13.110.254 53 -> 10.13.110.254 1026 (msg:"BAD TRAFFIC same SRC/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:3;)

pass ip 10.13.110.254 1026 -> 10.13.110.254 53 (msg:"BAD TRAFFIC same SRC/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:3;)

These alerts are filling the database rather quickly. Please help. I have searched the mailing list archives as well as Usenet with no helpful results.

Matt

---

This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list Received on Sun Mar 30 19:33:25 2003