Snort mailing list archives
RE: (no subject)
From: "Edward Marshall" <edtech () tstt net tt>
Date: Thu, 18 Sep 2003 21:22:28 -0400
Hi Marc, in response to your question on my problem (Broadcast addresses showing up as a source IP address??? 192.168.2.255 & 255.255.255.255), I have included in this email, 4 alert messages, as an example of what snort is detecting and logging in the log file called ALERT: [**] [117:1:1] (spp_portscan2) Portscan detected from 255.255.255.255: 6 targets 6 ports in 45 seconds [**] 07/29-11:03:54.973312 255.255.255.255 -> 192.168.2.217 ICMP TTL:64 TOS:0x0 ID:19157 IpLen:20 DgmLen:68 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 192.168.2.217:138 -> 255.255.255.255:138 UDP TTL:255 TOS:0x0 ID:7551 IpLen:20 DgmLen:229 Len: 201 ** END OF DUMP [**] [117:1:1] (spp_portscan2) Portscan detected from 255.255.255.255: 6 targets 6 ports in 79 seconds [**] 07/29-13:40:20.891202 255.255.255.255 -> 192.168.2.146 ICMP TTL:64 TOS:0x0 ID:47418 IpLen:20 DgmLen:68 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 192.168.2.146:138 -> 255.255.255.255:138 UDP TTL:255 TOS:0x0 ID:26601 IpLen:20 DgmLen:229 Len: 201 ** END OF DUMP [**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.2.255: 6 targets 6 ports in 53 seconds [**] 07/29-09:55:31.003547 192.168.2.255 -> 192.168.2.55 ICMP TTL:64 TOS:0x0 ID:34116 IpLen:20 DgmLen:68 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 192.168.2.55:138 -> 192.168.2.255:138 UDP TTL:128 TOS:0x0 ID:8463 IpLen:20 DgmLen:229 Len: 201 ** END OF DUMP [**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.2.255: 6 targets 6 ports in 34 seconds [**] 07/29-09:56:17.455466 192.168.2.255 -> 192.168.2.69 ICMP TTL:64 TOS:0x0 ID:52213 IpLen:20 DgmLen:68 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 192.168.2.69:138 -> 192.168.2.255:138 UDP TTL:32 TOS:0x0 ID:35585 IpLen:20 DgmLen:231 Len: 203 ** END OF DUMP -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Marc Quibell Sent: Thursday, September 18, 2003 9:51 AM To: snort-users () lists sourceforge net Cc: edtech () tstt net tt Subject: [Snort-users] (no subject) Broadcast addresses can't show up as a source. Must be your reporting is a little whacky...What are the destinations? Marc
Message: 2 From: "Edward Marshall" <edtech () tstt net tt> To: <snort-users () lists sourceforge net> Date: Thu, 18 Sep 2003 05:59:43 -0400 Subject: [Snort-users] Broadcast address???>
This is a multi-part message in MIME format.
------=_NextPart_000_0001_01C37DAA.0F55F630 Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hi Guys, after running Snort 2.0.1 on a corporate network
192.168.2.0/24
for a week, I used Sawmill to analyze the Snort log files (Alert, Portscan.log and Scan.log). I noticed that the following source IP addresses showed up
192.168.2.255
(with 6,296 hits) and 255.255.255.255 (with 626 hits). My question is, isn't these two IP addresses - broadcast addresses??? How can a broadcast address show up as a source IP address???
Any assistance would be greatly appreciated!!!
Thanks
Eddie
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: (no subject), (continued)
- Re: (no subject) Erek Adams (Aug 05)
- Re: (no subject) Matt Kettler (Aug 05)
- Re: (no subject) Patrick S. Harper - CISSP (Aug 05)
- Re: (no subject) Erek Adams (Aug 05)
- (no subject) JP Vossen (Aug 09)
- Re: (no subject) Marc Quibell (Aug 11)
- (no subject) Stefan Eggert (Aug 26)
- Re: (no subject) Stefan Eggert (Aug 26)
- (no subject) marjan purba (Sep 07)
- Re: (no subject) Nick Oliver (Sep 08)
- (no subject) Marc Quibell (Sep 18)
- RE: (no subject) Edward Marshall (Sep 19)
- Re: (no subject) Martin Roesch (Sep 22)
- RE: (no subject) Edward Marshall (Sep 19)
- (no subject) Travis Dent (Sep 18)
- Re: (no subject) Marc Quibell (Sep 22)
- Re: (no subject) Marc Quibell (Sep 22)
- (no subject) RAGUNATHAN, SOUMYA (Sep 24)
- Re: (no subject) Rahul (Sep 24)