Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto: [...] > 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 [ttl 1] > 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: udp 376 [ttl > 1]
A switched lan, I see ;) It can be slammer [1] (if so, I guess why the ISP tech is so busy :) As you run snort, the eth is probably in promiscuous mode. I think this is the reason you see ifconfig counter increasing (though the packets aren't leading to your server). This and a non-switched lan, of course. Ciao, Gian Piero. [1] http://enterprisesecurity.symantec.com/content.cfm?articleid=3261&EID=0