Snort mailing list archives
Re: (no subject)
From: "Marc Quibell" <mquibell () fbfs com>
Date: Mon, 22 Sep 2003 15:39:49 -0500
" Is this a worm or something randomly searching IPs for port 138? " Duh...probably just a netbios name query bcast or name server bcast... Marc roesch () sourcefire com on 09/22/2003 02:48:24 PM To: "Edward Marshall" <edtech () tstt net tt> cc: Marc Quibell/FBFS@FBFS, snort-users () lists sourceforge net Subject: Re: [Snort-users] (no subject) That looks like something responding on the broadcast to broadcast netbios-dgm traffic, did you get the MAC address of the source side of the packets? Some device on the network is feeling empowered to answer for broadcast traffic.... -Marty On Thursday, September 18, 2003, at 09:22 PM, Edward Marshall wrote:
Hi Marc, in response to your question on my problem (Broadcast addresses showing up as a source IP address??? 192.168.2.255 & 255.255.255.255), I have included in this email, 4 alert messages, as an example of what snort is detecting and logging in the log file called ALERT: [**] [117:1:1] (spp_portscan2) Portscan detected from 255.255.255.255: 6 targets 6 ports in 45 seconds [**] 07/29-11:03:54.973312 255.255.255.255 -> 192.168.2.217 ICMP TTL:64 TOS:0x0 ID:19157 IpLen:20 DgmLen:68 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 192.168.2.217:138 -> 255.255.255.255:138 UDP TTL:255 TOS:0x0 ID:7551 IpLen:20 DgmLen:229 Len: 201 ** END OF DUMP [**] [117:1:1] (spp_portscan2) Portscan detected from 255.255.255.255: 6 targets 6 ports in 79 seconds [**] 07/29-13:40:20.891202 255.255.255.255 -> 192.168.2.146 ICMP TTL:64 TOS:0x0 ID:47418 IpLen:20 DgmLen:68 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 192.168.2.146:138 -> 255.255.255.255:138 UDP TTL:255 TOS:0x0 ID:26601 IpLen:20 DgmLen:229 Len: 201 ** END OF DUMP [**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.2.255: 6 targets 6 ports in 53 seconds [**] 07/29-09:55:31.003547 192.168.2.255 -> 192.168.2.55 ICMP TTL:64 TOS:0x0 ID:34116 IpLen:20 DgmLen:68 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 192.168.2.55:138 -> 192.168.2.255:138 UDP TTL:128 TOS:0x0 ID:8463 IpLen:20 DgmLen:229 Len: 201 ** END OF DUMP [**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.2.255: 6 targets 6 ports in 34 seconds [**] 07/29-09:56:17.455466 192.168.2.255 -> 192.168.2.69 ICMP TTL:64 TOS:0x0 ID:52213 IpLen:20 DgmLen:68 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 192.168.2.69:138 -> 192.168.2.255:138 UDP TTL:32 TOS:0x0 ID:35585 IpLen:20 DgmLen:231 Len: 203 ** END OF DUMP -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Marc Quibell Sent: Thursday, September 18, 2003 9:51 AM To: snort-users () lists sourceforge net Cc: edtech () tstt net tt Subject: [Snort-users] (no subject) Broadcast addresses can't show up as a source. Must be your reporting is a little whacky...What are the destinations? MarcMessage: 2 From: "Edward Marshall" <edtech () tstt net tt> To: <snort-users () lists sourceforge net> Date: Thu, 18 Sep 2003 05:59:43 -0400 Subject: [Snort-users] Broadcast address???>This is a multi-part message in MIME format.------=_NextPart_000_0001_01C37DAA.0F55F630 Content-Type: text/plain;charset="us-ascii"Content-Transfer-Encoding: 7bitHi Guys, after running Snort 2.0.1 on a corporate network192.168.2.0/24for a week, I used Sawmill to analyze the Snort log files (Alert, Portscan.log and Scan.log). I noticed that the following source IP addresses showed up192.168.2.255(with 6,296 hits) and 255.255.255.255 (with 626 hits). My question is, isn't these two IP addresses - broadcast addresses??? How can a broadcast address show up as a source IP address???Any assistance would be greatly appreciated!!!ThanksEddie------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616 Sourcefire: Enterprise-class Intrusion detection built on Snort roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: (no subject), (continued)
- Re: (no subject) Marc Quibell (Aug 11)
- (no subject) Stefan Eggert (Aug 26)
- Re: (no subject) Stefan Eggert (Aug 26)
- (no subject) marjan purba (Sep 07)
- Re: (no subject) Nick Oliver (Sep 08)
- (no subject) Marc Quibell (Sep 18)
- RE: (no subject) Edward Marshall (Sep 19)
- Re: (no subject) Martin Roesch (Sep 22)
- RE: (no subject) Edward Marshall (Sep 19)
- (no subject) Travis Dent (Sep 18)
- Re: (no subject) Marc Quibell (Sep 22)
- Re: (no subject) Marc Quibell (Sep 22)
- (no subject) RAGUNATHAN, SOUMYA (Sep 24)
- Re: (no subject) Rahul (Sep 24)