[Snort-users] Scan Nmap, Multicast Address

Özgüç Bayrak ozguc.bayrak at ...10801...
Thu Feb 5 01:45:01 EST 2004


Hi,
When I checked my ACID logs, I saw an alert like this;

SCAN nmap TCP    230.242.34.196:48730 (Source IP)    xxx.xxx.xxx.xxx:34972
(Local IP)

I know that 230.242.34.196 is an multicast address. Is that true? 

The nslookup query is below

> 230.242.34.196
Server:  flag.ip4.int
Address:  198.32.4.13

196.34.242.230.in-addr.arpa     name =
reserved-multicast-range-NOT-delegated.ex
ample.com
230.in-addr.arpa        nameserver = flag.ep.net
230.in-addr.arpa        nameserver = dot.ep.net
dot.ep.net      internet address = 198.32.2.10
dot.ep.net      AAAA IPv6 address = 2001:478:6:0:230:48ff:fe22:6a29
dot.ep.net      AAAA IPv6 address = 3ffe:0:1:0:230:48ff:fe22:6a29
flag.ep.net     internet address = 198.32.4.13
flag.ep.net     AAAA IPv6 address = 3ffe:805:0:0:2d0:b7ff:fee8:c4d9

How does it happen? Is that spoofing? Is anybody have an idea? 
Thanks for reply...
 
Ozguc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040205/3989e034/attachment.html>


More information about the Snort-users mailing list