Snort mailing list archives
RE: portscans from 255.255.255.255?
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Thu, 30 Jan 2003 16:02:52 -0500
My tcp Q access rule on my border IDS'es have been firing like mad. There is a discussion in the intrusions () incidents org mailing list concerning this. Everybody is boggled as to what might be causing it. vjl -----Original Message----- From: twig les [mailto:twigles () yahoo com] Sent: Thursday, January 30, 2003 3:40 PM To: snort-users () lists sourceforge net Subject: [Snort-users] portscans from 255.255.255.255? Hey all, I have seriously debated whether I should send this since it may or may not be off-topic; it's just too bizarre to tell. My border routers are sysloging this: bdr-acl-in denied tcp 255.255.255.255(80) -> 1.1.156.194(8118) The acl is named correctly - these hits are coming from the outside. They hit random IPs in our range like NMAP, and they always target a high port coming from 80. I would assume they are from a LAN upstream since only routers doing stupid things forward broadcasts. The implications of this coming from our upstream provider are quite large since we peer via dual /30s. It isn't crucial to my security (we don't let those shenanigans in the border), but does snort see this as bad traffic? I did a quick "grep 255.255.255.255 *" in the snortrules dir and only came up with a couple of snmp rules. I would like to know if I should write a rule for this since I only caught this by accident this time. ===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscans from 255.255.255.255? twig les (Jan 30)
- Re: portscans from 255.255.255.255? Sam Evans (Jan 30)
- Re: portscans from 255.255.255.255? Gary Flynn (Jan 30)
- Re: portscans from 255.255.255.255? Matt Kettler (Jan 30)
- <Possible follow-ups>
- RE: portscans from 255.255.255.255? larosa, vjay (Jan 30)