[Snort-sigs] Alerts where source and destination addresses equal 0.0.0.0

waldo kitty wkitty42 at ...3507...
Fri Jan 24 11:06:13 EST 2014


On 1/24/2014 7:02 AM, James Lay wrote:
> You can add them to your threshold.conf file:
>
> suppress gen_id 1, sig_id 2002023, track by_src, ip 0.0.0.0
>
> You'd have to add the above for eash sig.  But seeing as those are IRC ports,
> I'd suggest something nefarious is going on.

agreed... especially given the following...

NetRange:       0.0.0.0 - 0.255.255.255
CIDR:           0.0.0.0/8
OriginAS:
NetName:        SPECIAL-IPV4-LOCAL-ID-IANA-RESERVED
NetHandle:      NET-0-0-0-0-1
Parent:
NetType:        IANA Special Use
Comment:        The address 0.0.0.0 may only be used as the address of an
                 outgoing packet when a computer is learning which IP address
                 it should use.  It is never used as a destination address.
                 Addresses starting with "0." are sometimes used for broadcasts
                 to directly connected devices.
Comment:
Comment:        If you see addresses starting with a "0." in logs they are
                 probably in use on your network, which might be as small as a
                 computer connected to a home gateway.
Comment:
Comment:        This block was assigned by the IETF, the organization that
                 develops Internet protocols, in the Standard document, RFC
                 1122, and is further documented in the Best Current Practice
                 document RFC 6890.  IANA is listed as the registrant to make it
                 clear that this network is not assigned to any single
                 organization.
Comment:
Comment:        These documents can be found at:
Comment:        http://datatracker.ietf.org/doc/rfc1122
Comment:        http://datatracker.ietf.org/doc/rfc6890
RegDate:
Updated:        2013-08-30
Ref:            http://whois.arin.net/rest/net/NET-0-0-0-0-1


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-sigs mailing list