I can ping and trace to that address. 16 54 ms 48 ms 48 ms l0.washdc3-cmb1.bbnplanet.net [4.0.0.3] What is the meaning of the "Host:" in your IDS output? It would seem that the true source of the packet would be within your own network. - Else how would it get there? Again, it would seem to be local to the IDS or from a location that had a default route to the IDS location. Can you set up access-lists on various router ports that would log traffic with those addresses? I'm assuming that it is the same ip address each time.
> -----Original Message----- > From: Maccubbin, Duncan [mailto:[EMAIL PROTECTED]] > Sent: Monday, June 03, 2002 10:12 AM > To: [EMAIL PROTECTED] > Subject: RE: Anyone seen this? [7:45664] > > > No, the Whois shows it belonging to BBN planet. > > > -----Original Message----- > From: Daniel Cotts [mailto:[EMAIL PROTECTED]] > Sent: Monday, June 03, 2002 11:04 AM > To: 'Maccubbin, Duncan'; [EMAIL PROTECTED] > Subject: RE: Anyone seen this? [7:45664] > > First question: Is 4.0.0.3 a valid address on your network? > > > -----Original Message----- > > From: Maccubbin, Duncan [mailto:[EMAIL PROTECTED]] > > Sent: Monday, June 03, 2002 9:01 AM > > To: [EMAIL PROTECTED] > > Subject: Anyone seen this? [7:45664] > > > > > > My IDS from time to time pulls this up. I don't know how to > > track it down > > easily. Any ideas? > > > > IDS ALERT at: 2002-06-03 09:30:06 > > SIGNATURE: BAD TRAFFIC same SRC/DST > > HOST: TIP3-90Sub > > SID: 1 > > CID: 945479 > > SRC IP: 4.0.0.3 > > DST IP: 4.0.0.3 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45677&t=45664 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
