[Snort-users] Does this address ring a bell? 111.222.222.222

Phil Wood cpw at ...440...
Thu Mar 15 13:11:57 EST 2001


On Thu, Mar 15, 2001 at 11:52:03AM -0600, John_Delisle at ...1523... wrote:
> 
> 
> So you're seeing it coming towards your firewall from the internet? Whats

Opps, I thought I said,

  "... that is being stopped from leaving our site .."

It is originating in our network, our "egress" router is dropping the packet
and logging the event because it has an incorrect source address.  My sensor
is not in the right place to capture the data.  (Although, I can remedy that).

My senerio was that some virus or shrink wrap software from some
unreputable vendor was sending signals out with a forged ip source address.
The content of this packet could have credit card info, user habit data,
disk directory information, local file content, etc.

Probably enough said about this subject.  ^%)

> 
> The address is from a reserved block:
> 
> % whois 111.222.222.222
> 
>    IANA (RESERVED-8)
>    US
> 
>    Netname: RESERVED-8
>    Netblock: 96.0.0.0 - 126.255.255.255
> 
>    Coordinator:
>    Internet Corporation for Assigned Names and Numbers (IANA-ARIN)
> iana at ...1585...
>       (310) 823-9358
> 
>    Record last updated on 03-Nov-1998.
>    Database last updated on 14-Mar-2001 22:57:25 EDT.
> %
> 
> and, I also forgot to say that is being stopped from leaving our site as it
> is NOT one of our source addresses.
> 
> I should have been more explicit, and ask if anyone knows of some vendor os
> that ships this way.  Or, is it a trick by the owners of the recipient
> addresses to to get a clue that some application or virus has obtained a
> foot hold on some unsuspecting machine.  I do not have any content for
> the packets because the packets are being dropped before passing by my
> sensor.
> 
> Thanks,
> 
> --
> Phil Wood, cpw at ...440...
> 
> 
> 

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list