[Snort-users] Win98 on reboot
ryan at ...35...
Mon Mar 12 01:25:00 EST 2001
On Sun, 11 Mar 2001, Lance Spitzner wrote:
> Rebooted Win98 desktop on my network, snort captured and
> alerted to the following. What is my Win98 desktop trying
> to do? No packet payload in the ICMP packets :-0
It's trying to find a router.
> [**] ICMP Router Selection [**]
> 03/11-22:51:40.761942 192.168.1.100 -> 188.8.131.52
> ICMP TTL:128 TOS:0x0 ID:0 IpLen:20 DgmLen:28
> Type:10 Code:0 UNKNOWN
10 Router Selection [RFC1256]
0 No Code
This is how Windows boxen with bogus IP addresses find their way off the
local subnet (though they usually don't get eny replies that way.)
There was even a hole in it. L0pht guys, I believe.
More information about the Snort-users