Snort mailing list archives
Re: Alerts where source and destination addresses equal 0.0.0.0
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 24 Jan 2014 05:02:44 -0700
On Fri, 2014-01-24 at 08:56 +0100, Cyrille Bollu wrote:
Hi, On my installation, I've a lot of alerts 2002023-2002028 whose source and destination IP addresses equal 0.0.0.0. I've googled about this on Internet, but couldn't really pinpoint what's going on. Do any of you have a clue? And, how could I prevent from being alerted for such events? I've tried filtering them (eg: !0.0.0.0 -> any 6666:7000), but it didn't seem to work. Thanks for any help. Cyrille ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
You can add them to your threshold.conf file: suppress gen_id 1, sig_id 2002023, track by_src, ip 0.0.0.0 You'd have to add the above for eash sig. But seeing as those are IRC ports, I'd suggest something nefarious is going on. James
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Alerts where source and destination addresses equal 0.0.0.0 Cyrille Bollu (Jan 24)
- Re: Alerts where source and destination addresses equal 0.0.0.0 James Lay (Jan 24)
- Re: Alerts where source and destination addresses equal 0.0.0.0 Cyrille Bollu (Jan 24)
- Re: Alerts where source and destination addresses equal 0.0.0.0 waldo kitty (Jan 24)
- Re: Alerts where source and destination addresses equal 0.0.0.0 James Lay (Jan 24)