[Snort-users] Scan Nmap, Multicast Address
ozguc.bayrak at ...10801...
Thu Feb 5 01:45:01 EST 2004
When I checked my ACID logs, I saw an alert like this;
SCAN nmap TCP 184.108.40.206:48730 (Source IP) xxx.xxx.xxx.xxx:34972
I know that 220.127.116.11 is an multicast address. Is that true?
The nslookup query is below
18.104.22.168.in-addr.arpa name =
230.in-addr.arpa nameserver = flag.ep.net
230.in-addr.arpa nameserver = dot.ep.net
dot.ep.net internet address = 22.214.171.124
dot.ep.net AAAA IPv6 address = 2001:478:6:0:230:48ff:fe22:6a29
dot.ep.net AAAA IPv6 address = 3ffe:0:1:0:230:48ff:fe22:6a29
flag.ep.net internet address = 126.96.36.199
flag.ep.net AAAA IPv6 address = 3ffe:805:0:0:2d0:b7ff:fee8:c4d9
How does it happen? Is that spoofing? Is anybody have an idea?
Thanks for reply...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users