[Snort-users] Scan Nmap, Multicast Address

Özgüç Bayrak ozguc.bayrak at ...10801...
Thu Feb 5 01:45:01 EST 2004

When I checked my ACID logs, I saw an alert like this;

SCAN nmap TCP (Source IP)    xxx.xxx.xxx.xxx:34972
(Local IP)

I know that is an multicast address. Is that true? 

The nslookup query is below

Server:  flag.ip4.int
Address:     name =
230.in-addr.arpa        nameserver = flag.ep.net
230.in-addr.arpa        nameserver = dot.ep.net
dot.ep.net      internet address =
dot.ep.net      AAAA IPv6 address = 2001:478:6:0:230:48ff:fe22:6a29
dot.ep.net      AAAA IPv6 address = 3ffe:0:1:0:230:48ff:fe22:6a29
flag.ep.net     internet address =
flag.ep.net     AAAA IPv6 address = 3ffe:805:0:0:2d0:b7ff:fee8:c4d9

How does it happen? Is that spoofing? Is anybody have an idea? 
Thanks for reply...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040205/3989e034/attachment.html>

More information about the Snort-users mailing list