Snort mailing list archives
IP addresses beginning with zero?
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Wed, 13 Mar 2002 16:40:06 -0500
In my Snort (1.9dev) server logs I occasionally see UDP packets from several internal NT servers destined for IP addresses where the first octet is zero such as 0.0.0.10 and 0.0.0.172. Source and destination ports are always 137 and the packet contents appear to be normal Netbios over IP stuff. It happens only maybe 3 to 6 times per day and I have been trying to research why this is happening so as to rule out any security issues such as a trojan horse or some other illicit code communicating on the network. THe interesting thing is if I look at the MAC addresses the packets are destined for when sent to these IP addresses beginning with zero, the MAC address is always points to our internal firewall interface. Some examples: NTserver1:137 -> 0.0.0.172:137 NTserver2:137 -> 172.0.0.17:137 NTserver3:137 -> 0.0.0.10:137 Some traces with MAC address info: [**] [1:0:0] UDP to 0.0.0.172 [**] 03/11-20:37:22.297425 0:8:C7:E6:26:D8 -> 0:D0:B7:3D:9B:AE type:0x800 len:0x5C NTServer1:137 -> 0.0.0.172:137 UDP TTL:128 TOS:0x0 ID:21003 IpLen:20 DgmLen:78 Len: 58 [**] [1:0:0] UDP to 0.0.0.10 [**] 03/11-20:37:48.225007 0:8:C7:E6:26:D8 -> 0:D0:B7:3D:9B:AE type:0x800 len:0x5C NTServer1:137 -> 0.0.0.10:137 UDP TTL:128 TOS:0x0 ID:34063 IpLen:20 DgmLen:78 Len: 58 [**] [1:0:0] UDP to 172.0.0.17 [**] 03/11-21:22:07.738358 0:8:C7:E6:26:D8 -> 0:D0:B7:3D:9B:AE type:0x800 len:0x5C NTServer1:137 -> 172.0.0.17:137 UDP TTL:128 TOS:0x0 ID:28172 IpLen:20 DgmLen:78 Len: 58 I came across only one site on the Internet that mentioned the following: "0 <IP addresses beginning with 0>: These are reserved for computers that do not know their address. For example, 0.0.0.10 would be a computer that only knew it was host 10 on an unknown network." I can find no other information on IP addresses where the first octet is zero. I was curious if anyone else has come across packets on their network destined for IP addresses beginning with 0, and if you might have any other information on this. Thanks! Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IP addresses beginning with zero? Sheahan, Paul (PCLN-NW) (Mar 13)