[Snort-users] Question, probably really simple, but a question nontheless

Alex Kirk alex.kirk at ...1935...
Fri Oct 7 13:10:30 EDT 2005


Kevin,

These are distinctly odd packets. If the host that they're all coming 
from is internal to your network, I would go and do a full scan of the 
box -- virus, spyware, rootkits, the works -- since this could 
potentially be the result of some malicious software running on it. 
However, it may just be that the box is misconfigured or has some poorly 
written software on it; it's just tough to say without more information.

If this host is not on your internal network, it may indicate that 
you're being scanned, though in a very strange way. At that point, it 
would probably be smart to go make sure your systems are all patched up 
to date, that your firewall is running correctly, etc. (though clearly 
all of this is good practice regardless of whether you're the subject of 
an abnormal scan).

A more detailed PCAP, that had traffic flowing to and from this host, 
might be helpful in diagnosing what's going on here. Of course, this may 
also be a great excuse to tell your boss that you need Snort set up to 
see all of the traffic going in and out of your network -- perhaps some 
other alerts would crop up and lead to the nature of the problem here.

Alex Kirk
Research Analyst
Sourcefire, Inc.

> Alex,
>
> Thanks for getting back to me. Yeah, that information did help a 
> little, it just has to sink in. Anyway, here is the pcap (hopefully it 
> will be there) from Ethereal that I pulled out of the tcpdump logs. I 
> filtered out packets just from this source. Also, I don't know if this 
> will help you identify the reason for all the 0 addresses, but here is 
> how we have snort setup, it is an odd configuration, but this is how 
> they wanted it done. Anyway, the box is only getting traffic that 
> would normally go nowhere or no reply. Such as a bad web address, a 
> down server, etc, that is all the information snort is going to get. I 
> realize that is taking at lot of power out of what snort can do, but 
> my hands were tied for that decision. Anyway, hopefully you can find 
> something out of it.
>
> Thanks again,
> Kevin






More information about the Snort-users mailing list