I agree with Simon and Laurens.
In addition to what they mentioned, there is also the "sensor-stubs" which
just replays canned Bro/Snort/YAF output without actually running
tcpreplay, Bro, Snort, or YAF. You would also see the same IP in that
data.
On Wed, Sep 20, 2017 at 10:38 AM Simon
I think these addresses are used in the example.pcap
(/opt/pcap-replay/example.pcap). The fact that you're receiving this
means that pcap-replay is probably running in the background. You can
check this with Monit ("monit summary").
On 2017-09-20 07:29, Frank Horsfall wrote:
> Morning all,
>
That sounds like an address from the standard example.pcap used to demo metron
capability. In a real deployment you should not run pcap-replay which is what
inserts this demo data.
Simon
> On 21 Sep 2017, at 00:29, Frank Horsfall
> wrote:
>
> Morning all,
>
Morning all,
I have several logs showing an address of 192.168.138.158 as ip_src_addr and
192.168.138.2 as ip_dst_addr.
My internal network does not have the 192.168.0.0/24 range which leads me to
believe that somewhere there is a test record with the data.
Would anybody know where I might be