[Snort-users] (no subject)

Martin Roesch roesch at ...1935...
Mon Sep 22 12:49:08 EDT 2003


That looks like something responding on the broadcast to broadcast 
netbios-dgm traffic, did you get the MAC address of the source side of 
the packets?  Some device on the network is feeling empowered to answer 
for  broadcast traffic....

      -Marty

On Thursday, September 18, 2003, at 09:22  PM, Edward Marshall wrote:

> Hi Marc, in response to your question on my problem (Broadcast 
> addresses
> showing up as a source IP address??? 192.168.2.255 & 255.255.255.255), 
> I
> have included in this email, 4 alert messages, as an example of what
> snort is detecting and logging in the log file called ALERT:
>
>
> [**] [117:1:1] (spp_portscan2) Portscan detected from 255.255.255.255: 
> 6
> targets 6 ports in 45 seconds [**]
> 07/29-11:03:54.973312 255.255.255.255 -> 192.168.2.217
> ICMP TTL:64 TOS:0x0 ID:19157 IpLen:20 DgmLen:68
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 192.168.2.217:138 -> 255.255.255.255:138
> UDP TTL:255 TOS:0x0 ID:7551 IpLen:20 DgmLen:229
> Len: 201
> ** END OF DUMP
>
>
> [**] [117:1:1] (spp_portscan2) Portscan detected from 255.255.255.255: 
> 6
> targets 6 ports in 79 seconds [**]
> 07/29-13:40:20.891202 255.255.255.255 -> 192.168.2.146
> ICMP TTL:64 TOS:0x0 ID:47418 IpLen:20 DgmLen:68
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 192.168.2.146:138 -> 255.255.255.255:138
> UDP TTL:255 TOS:0x0 ID:26601 IpLen:20 DgmLen:229
> Len: 201
> ** END OF DUMP
>
>
> [**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.2.255: 6
> targets 6 ports in 53 seconds [**]
> 07/29-09:55:31.003547 192.168.2.255 -> 192.168.2.55
> ICMP TTL:64 TOS:0x0 ID:34116 IpLen:20 DgmLen:68
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 192.168.2.55:138 -> 192.168.2.255:138
> UDP TTL:128 TOS:0x0 ID:8463 IpLen:20 DgmLen:229
> Len: 201
> ** END OF DUMP
>
>
> [**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.2.255: 6
> targets 6 ports in 34 seconds [**]
> 07/29-09:56:17.455466 192.168.2.255 -> 192.168.2.69
> ICMP TTL:64 TOS:0x0 ID:52213 IpLen:20 DgmLen:68
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 192.168.2.69:138 -> 192.168.2.255:138
> UDP TTL:32 TOS:0x0 ID:35585 IpLen:20 DgmLen:231
> Len: 203
> ** END OF DUMP
>
>
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Marc
> Quibell
> Sent: Thursday, September 18, 2003 9:51 AM
> To: snort-users at lists.sourceforge.net
> Cc: edtech at ...9974...
> Subject: [Snort-users] (no subject)
>
>
>
> Broadcast addresses can't show up as a source. Must be your reporting 
> is
> a
> little whacky...What are the destinations?
>
> Marc
>
>> Message: 2
>> From: "Edward Marshall" <edtech at ...9974...>
>> To: <snort-users at lists.sourceforge.net>
>> Date: Thu, 18 Sep 2003 05:59:43 -0400
>> Subject: [Snort-users] Broadcast address???>
>
>> This is a multi-part message in MIME format.
>
>> ------=_NextPart_000_0001_01C37DAA.0F55F630
>> Content-Type: text/plain;
>      charset="us-ascii"
>> Content-Transfer-Encoding: 7bit
>
>> Hi Guys, after running Snort 2.0.1 on a corporate network
> 192.168.2.0/24
>> for a week, I used Sawmill to analyze the Snort log files (Alert,
>> Portscan.log and Scan.log).
>> I noticed that the following source IP addresses showed up
> 192.168.2.255
>> (with 6,296 hits) and 255.255.255.255 (with 626 hits). My question is,
>> isn't these two IP addresses - broadcast addresses???  How can a
>> broadcast address show up as a source IP address???
>
>> Any assistance would be greatly appreciated!!!
>
>
>> Thanks
>
>> Eddie
>
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list