On Sat, 2003-06-21 at 20:45, rmkml wrote: > Hi, > > look event : > Jun 21 18:12:01 xxx 11 firestorm-nids053: 1056211921.440716 > alert=sig.tcp sig=1431.4 priority=2 src=217.128.40.199 dst=24.78.142.0 > proto=6 spt=4662 dpt=3889 flags=*S**A*** from=server server=SYN_SENT > client=SYN_RECV : BAD TRAFFIC syn to multicast address > > look this rules : (include in firestorm053) > > /xxx/snort-rules/bad-traffic.rules:alert tcp any any -> > [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD TRAFFIC syn to > multicast address"; flags:S+; classtype:bad-unknown; sid:1431; rev:4;) > > and read tcpdump file (join): > 18:12:01.440705 24.78.142.0.3889 > 217.128.40.199.4662: S [tcp sum ok] > 311693554:311693554(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl > 113, id 53684, len 48) > ... can't seem to reproduce this either. What happens if you use the the default ruleset and config but with HOME_NET and EXTERNAL_NET set to any ? -- // Gianni Tedesco (gianni at scaramanga dot co dot uk) lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
Attachment:
signature.asc
Description: This is a digitally signed message part