[Snort-users] Re: port 0 packets from bogon networks

Ryan Hill rhill at ...2446...
Sun Nov 25 20:05:01 EST 2001


Joe,

FYI - although I haven't been seeing these packets externally, false alarms
on an internal sensor here have been traced to Cisco's Local Director boxes
and their communication with a management station. Bad Cisco - no biscuit!

Regards,

Ryan Hill, MCSE 
IT Ninja
Corporate Information Systems
Telecommunication Systems, Inc. (TCS) - http://www.telecomsys.com
v: 206.792.2276 - f: 206.792.2001
pgp: 0x17CE70AB


> -----Original Message-----
> From: Joe Pampel [mailto:joe at ...3851...] 
> Sent: Friday, November 23, 2001 10:48 AM
> To: snort-users at lists.sourceforge.net; 
> snort-users-request at lists.sourceforge.net
> Subject: [Snort-users] Re: port 0 packets from bogon networks
> 
> 
> I know this isn't the NIDS helpline, but I am seeing a lot 
> more of this sort of packet than usual. I stop them at the 
> edge router with an ACL (per Rob Thomas) but I've never seen 
> much action from this list. Today I am seeing a bunch and am 
> just curious is anyone else is getting some action?  Maybe 
> something's up, maybe I just ate too much yesterday. (maybe 
> both?) I normally would associate anything with a bad return 
> address as some sort of DOS, but is there anything else you'd 
> do to someone else from a spoofed &/or unroutable IP? 
> 
> A quick google yielded this 
> http://www.sans.org/y2k/120700-1700.htm  which > had some good 
> points (perhaps it's someone trying to spoof my internal 
> IP's.. except they are way way off.) 
> 
> Thx,
> 
> Joe
> 
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list