snort

To: debian-isp@lists.debian.org
Subject: snort
From: Theodore Knab <tjk@annapolislinux.org>
Date: Wed, 12 Oct 2005 15:14:01 -0400
Message-id: <[🔎] 20051012191401.GB12705@annapolislinux.org>

Anyone know if Snort can be used to track spoofed IP addresses ?

We were having some strange martians getting logged.

How do I find out where these are coming from ? 

X=any number between 1-245

messages.1.gz:Oct 10 08:25:51 localhost kernel: martian source X.X.32.81 from X.X.32.66, on dev br0
messages.1.gz:Oct 10 08:25:51 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:d0:95:9e:cb:ec:08:06
messages.1.gz:Oct 10 08:25:59 localhost kernel: martian source X.X.32.65 from X.X.32.66, on dev br0
messages.1.gz:Oct 10 08:25:59 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:d0:95:9e:cb:ec:08:06
messages.1.gz:Oct 10 08:26:02 localhost kernel: printk: 7 messages suppressed.
messages.1.gz:Oct 10 08:26:02 localhost kernel: martian source X.X.32.120 from X.X.32.66, on dev br0
messages.1.gz:Oct 10 08:26:02 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:d0:95:9e:cb:ec:08:06
messages.1.gz:Oct 10 08:26:12 localhost kernel: printk: 3 messages suppressed.
messages.1.gz:Oct 10 08:26:12 localhost kernel: martian source X.X.32.73 from X.X.32.65, on dev br0
messages.1.gz:Oct 10 08:26:12 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:05:31:ed:08:00:08:06
messages.1.gz:Oct 10 08:26:15 localhost kernel: martian source X.X.32.73 from X.X.32.65, on dev br0
messages.1.gz:Oct 10 08:26:15 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:05:31:ed:08:00:08:06
messages.1.gz:Oct 10 08:26:42 localhost kernel: martian source X.X.32.65 from X.X.32.66, on dev br0
messages.1.gz:Oct 10 08:26:42 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:d0:95:9e:cb:ec:08:06
messages.1.gz:Oct 10 08:26:42 localhost kernel: martian source X.X.32.65 from X.X.32.66, on dev br0
messages.1.gz:Oct 10 08:26:42 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:d0:95:9e:cb:ec:08:06
messages.1.gz:Oct 10 08:26:42 localhost kernel: martian source X.X.32.65 from X.X.32.66, on dev br0
messages.1.gz:Oct 10 08:26:42 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:d0:95:9e:cb:ec:08:06
messages.1.gz:Oct 10 08:26:42 localhost kernel: martian source X.X.32.65 from X.X.32.66, on dev br0
messages.1.gz:Oct 10 08:26:42 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:d0:95:9e:cb:ec:08:06
messages.1.gz:Oct 10 08:26:42 localhost kernel: martian source X.X.32.65 from X.X.32.66, on dev br0
messages.1.gz:Oct 10 08:26:42 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:d0:95:9e:cb:ec:08:06
messages.1.gz:Oct 10 08:26:42 localhost kernel: martian source X.X.32.65 from X.X.32.66, on dev br0
messages.1.gz:Oct 10 08:26:42 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:d0:95:9e:cb:ec:08:06


-- 
------------------------------------------
Ted Knab
Stevensville, Maryland  21666 USA
------------------------------------------
I am lone maggot in a sea of pooh.

Reply to:

Prev by Date: Re: Temporarily Disable IP [ANOTHER SOLUTION]
Next by Date: Re: Debian Rootserver in USA
Previous by thread: I need hosting: 20 GB disk space, 100+ GB bandwidth
Next by thread: Hot-pluggable SCSI
Index(es):
- Date
- Thread