Snort mailing list archives
Re: Question, probably really simple, but a question nontheless
From: Alex Kirk <alex.kirk () sourcefire com>
Date: Fri, 07 Oct 2005 16:09:03 -0400
Kevin,These are distinctly odd packets. If the host that they're all coming from is internal to your network, I would go and do a full scan of the box -- virus, spyware, rootkits, the works -- since this could potentially be the result of some malicious software running on it. However, it may just be that the box is misconfigured or has some poorly written software on it; it's just tough to say without more information.
If this host is not on your internal network, it may indicate that you're being scanned, though in a very strange way. At that point, it would probably be smart to go make sure your systems are all patched up to date, that your firewall is running correctly, etc. (though clearly all of this is good practice regardless of whether you're the subject of an abnormal scan).
A more detailed PCAP, that had traffic flowing to and from this host, might be helpful in diagnosing what's going on here. Of course, this may also be a great excuse to tell your boss that you need Snort set up to see all of the traffic going in and out of your network -- perhaps some other alerts would crop up and lead to the nature of the problem here.
Alex Kirk Research Analyst Sourcefire, Inc.
Alex,Thanks for getting back to me. Yeah, that information did help a little, it just has to sink in. Anyway, here is the pcap (hopefully it will be there) from Ethereal that I pulled out of the tcpdump logs. I filtered out packets just from this source. Also, I don't know if this will help you identify the reason for all the 0 addresses, but here is how we have snort setup, it is an odd configuration, but this is how they wanted it done. Anyway, the box is only getting traffic that would normally go nowhere or no reply. Such as a bad web address, a down server, etc, that is all the information snort is going to get. I realize that is taking at lot of power out of what snort can do, but my hands were tied for that decision. Anyway, hopefully you can find something out of it.Thanks again, Kevin
------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question, probably really simple, but a question nontheless Kevin Smith (Oct 07)
- Re: Question, probably really simple, but a question nontheless Alex Kirk (Oct 07)
- <Possible follow-ups>
- Re: Question, probably really simple, but a question nontheless Alex Kirk (Oct 07)