[Snort-users] Question, probably really simple, but a question nontheless
alex.kirk at ...1935...
Fri Oct 7 13:10:30 EDT 2005
These are distinctly odd packets. If the host that they're all coming
from is internal to your network, I would go and do a full scan of the
box -- virus, spyware, rootkits, the works -- since this could
potentially be the result of some malicious software running on it.
However, it may just be that the box is misconfigured or has some poorly
written software on it; it's just tough to say without more information.
If this host is not on your internal network, it may indicate that
you're being scanned, though in a very strange way. At that point, it
would probably be smart to go make sure your systems are all patched up
to date, that your firewall is running correctly, etc. (though clearly
all of this is good practice regardless of whether you're the subject of
an abnormal scan).
A more detailed PCAP, that had traffic flowing to and from this host,
might be helpful in diagnosing what's going on here. Of course, this may
also be a great excuse to tell your boss that you need Snort set up to
see all of the traffic going in and out of your network -- perhaps some
other alerts would crop up and lead to the nature of the problem here.
> Thanks for getting back to me. Yeah, that information did help a
> little, it just has to sink in. Anyway, here is the pcap (hopefully it
> will be there) from Ethereal that I pulled out of the tcpdump logs. I
> filtered out packets just from this source. Also, I don't know if this
> will help you identify the reason for all the 0 addresses, but here is
> how we have snort setup, it is an odd configuration, but this is how
> they wanted it done. Anyway, the box is only getting traffic that
> would normally go nowhere or no reply. Such as a bad web address, a
> down server, etc, that is all the information snort is going to get. I
> realize that is taking at lot of power out of what snort can do, but
> my hands were tied for that decision. Anyway, hopefully you can find
> something out of it.
> Thanks again,
More information about the Snort-users