[Snort-sigs] Alerts where source and destination addresses equal 0.0.0.0

Cyrille Bollu cyrille.bollu at ...2420...
Fri Jan 24 09:40:15 EST 2014


Should you know all the crap that's in my company's wires...


On Fri, Jan 24, 2014 at 1:02 PM, James Lay <jlay at ...3266...> wrote:

>  On Fri, 2014-01-24 at 08:56 +0100, Cyrille Bollu wrote:
>
> Hi,
>
>
>  On my installation, I've a lot of alerts 2002023-2002028 whose source
> and destination IP addresses equal 0.0.0.0.
>
>
>  I've googled about this on Internet, but couldn't really pinpoint what's
> going on.
>
>
>  Do any of you have a clue?
>
>
>  And, how could I prevent from being alerted for such events? I've tried
> filtering them (eg: !0.0.0.0 -> any 6666:7000), but it didn't seem to work.
>
>
>  Thanks for any help.
>
>
>  Cyrille
>
>  ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing listSnort-sigs at ...3408...://lists.sourceforge.net/lists/listinfo/snort-sigshttp://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
> You can add them to your threshold.conf file:
>
> suppress gen_id 1, sig_id 2002023, track by_src, ip 0.0.0.0
>
> You'd have to add the above for eash sig.  But seeing as those are IRC
> ports, I'd suggest something nefarious is going on.
>
> James
>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140124/3d002e82/attachment.html>


More information about the Snort-sigs mailing list