Hi again,
Am Montag, den 07.08.2006, 18:19 +0200 schrieb rmkml:
Hi Lutz,
one or two ip ending with .0 ? (72.30.x.0)
Regards
Rmkml
Both don't end with 0.
Am Montag, den 07.08.2006, 18:19 +0200 schrieb Todd Wease:
This alert only occurs if either the source or destination ip starts
with 127. It's a decoder alert and isn't fired by any of the rules
but
only if you have specified that decoding issues should be alerted
upon.
Decoding alerts can be turned off by adding the line
config disable_decode_alerts
I don't want to deactivate those alerts, I know what Loopback traffic.
And that is exactly why this bothers me. It shouldn't be alerted by
snort because it is not Loopback traffic.
But I see I'm not the only one that is seeing alerts that shouldn't be
there. Frank, I do have other (real) loopback traffic here, that doesn't
have chksum=0. Either chksum=0 is causing the alert, but more likely is
that snort somehow displays the chksum wrong as a "side effect". As this
is normal and valid traffic I pretty much doubt the chksum of the packet
itself was wrong or even 0.
Best regards,
Lutz Schildt
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
