[Snort-sigs] Alerts where source and destination addresses equal 0.0.0.0
wkitty42 at ...3507...
Fri Jan 24 11:06:13 EST 2014
On 1/24/2014 7:02 AM, James Lay wrote:
> You can add them to your threshold.conf file:
> suppress gen_id 1, sig_id 2002023, track by_src, ip 0.0.0.0
> You'd have to add the above for eash sig. But seeing as those are IRC ports,
> I'd suggest something nefarious is going on.
agreed... especially given the following...
NetRange: 0.0.0.0 - 0.255.255.255
NetType: IANA Special Use
Comment: The address 0.0.0.0 may only be used as the address of an
outgoing packet when a computer is learning which IP address
it should use. It is never used as a destination address.
Addresses starting with "0." are sometimes used for broadcasts
to directly connected devices.
Comment: If you see addresses starting with a "0." in logs they are
probably in use on your network, which might be as small as a
computer connected to a home gateway.
Comment: This block was assigned by the IETF, the organization that
develops Internet protocols, in the Standard document, RFC
1122, and is further documented in the Best Current Practice
document RFC 6890. IANA is listed as the registrant to make it
clear that this network is not assigned to any single
Comment: These documents can be found at:
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-sigs