[Snort-users] (no subject)

Edward Marshall edtech at ...9974...
Fri Sep 19 14:30:05 EDT 2003


Hi Marc, in response to your question on my problem (Broadcast addresses
showing up as a source IP address??? 192.168.2.255 & 255.255.255.255), I
have included in this email, 4 alert messages, as an example of what
snort is detecting and logging in the log file called ALERT:


[**] [117:1:1] (spp_portscan2) Portscan detected from 255.255.255.255: 6
targets 6 ports in 45 seconds [**]
07/29-11:03:54.973312 255.255.255.255 -> 192.168.2.217
ICMP TTL:64 TOS:0x0 ID:19157 IpLen:20 DgmLen:68
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
192.168.2.217:138 -> 255.255.255.255:138
UDP TTL:255 TOS:0x0 ID:7551 IpLen:20 DgmLen:229
Len: 201
** END OF DUMP


[**] [117:1:1] (spp_portscan2) Portscan detected from 255.255.255.255: 6
targets 6 ports in 79 seconds [**]
07/29-13:40:20.891202 255.255.255.255 -> 192.168.2.146
ICMP TTL:64 TOS:0x0 ID:47418 IpLen:20 DgmLen:68
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
192.168.2.146:138 -> 255.255.255.255:138
UDP TTL:255 TOS:0x0 ID:26601 IpLen:20 DgmLen:229
Len: 201
** END OF DUMP


[**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.2.255: 6
targets 6 ports in 53 seconds [**]
07/29-09:55:31.003547 192.168.2.255 -> 192.168.2.55
ICMP TTL:64 TOS:0x0 ID:34116 IpLen:20 DgmLen:68
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
192.168.2.55:138 -> 192.168.2.255:138
UDP TTL:128 TOS:0x0 ID:8463 IpLen:20 DgmLen:229
Len: 201
** END OF DUMP


[**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.2.255: 6
targets 6 ports in 34 seconds [**]
07/29-09:56:17.455466 192.168.2.255 -> 192.168.2.69
ICMP TTL:64 TOS:0x0 ID:52213 IpLen:20 DgmLen:68
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
192.168.2.69:138 -> 192.168.2.255:138
UDP TTL:32 TOS:0x0 ID:35585 IpLen:20 DgmLen:231
Len: 203
** END OF DUMP



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Marc
Quibell
Sent: Thursday, September 18, 2003 9:51 AM
To: snort-users at lists.sourceforge.net
Cc: edtech at ...9974...
Subject: [Snort-users] (no subject)



Broadcast addresses can't show up as a source. Must be your reporting is
a
little whacky...What are the destinations?

Marc

>Message: 2
>From: "Edward Marshall" <edtech at ...9974...>
>To: <snort-users at lists.sourceforge.net>
>Date: Thu, 18 Sep 2003 05:59:43 -0400
>Subject: [Snort-users] Broadcast address???>

>This is a multi-part message in MIME format.

>------=_NextPart_000_0001_01C37DAA.0F55F630
>Content-Type: text/plain;
     charset="us-ascii"
>Content-Transfer-Encoding: 7bit

>Hi Guys, after running Snort 2.0.1 on a corporate network
192.168.2.0/24
>for a week, I used Sawmill to analyze the Snort log files (Alert,
>Portscan.log and Scan.log).
>I noticed that the following source IP addresses showed up
192.168.2.255
>(with 6,296 hits) and 255.255.255.255 (with 626 hits). My question is,
>isn't these two IP addresses - broadcast addresses???  How can a
>broadcast address show up as a source IP address???

>Any assistance would be greatly appreciated!!!


>Thanks

>Eddie






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list