[Snort-users] non-standard-protocol : BAD-TRAFFIC IP Proto 103 PIM

doug schmidt douglas.j.schmidt at ...11827...
Thu May 17 14:52:56 EDT 2007


> rule.  I know the protocol in question is a routing-related protocol, but
> does anyone have any views or explanation on the normal use of this protocol
> ?

An example of such would be cisco routers configured for HSRP. Routers
will use multicast to send hello's and talk with members of the group.

~doug

On 5/17/07, David Ryan <David.Ryan at ...14057...> wrote:
>
> Hi all,
>
> I am seeing loads (like 90% of all events) of these events showing up on one
> of my Snort sensors.  I have looked at the description here -
> http://www.snort.org/pub-bin/sigs.cgi?sid=2189 - and I
> looked at the rule definition and it appears to match simply on the
> existence of IP protocol 103 as distinct from any payload within it.
>
> I see the traffic coming from two known Cisco routers on the subnet I'm
> monitoring and the traffic is destined for 224.0.0.13 which is the multicast
> address for PIM -
> http://www.networksorcery.com/enp/protocol/pim.htm  I have
> also I have seen it on other sites and subnets on the network I am
> monitoring, so I guess whatever function is causing this traffic to
> originate from the router is used across the organisation.
>
> In order to make the output from snort a little more readable (and because
> it is matching on the protocol and not the payload) I have disabled this
> rule.  I know the protocol in question is a routing-related protocol, but
> does anyone have any views or explanation on the normal use of this protocol
> ?
>
> Thanks,
>
> David
> ===========================================
> David Ryan
> IT Security Engineer, Global IT Security
> Quintiles, Global IT - Infrastructure, QDUB
>
> david.ryan at ...14057...
> v:  +353-1-819-5186, GMT+0
> m: +353-87-124-9108
> ===========================================
>
>
>  ********************** IMPORTANT--PLEASE READ ************************
This
> electronic message, including its attachments, is COMPANY CONFIDENTIAL
and
> may contain PROPRIETARY or LEGALLY PRIVILEGED information. If you are
not
> the intended recipient, you are hereby notified that any use,
> disclosure,
copying, or distribution of this message or any of the
> information included
in it is unauthorized and strictly prohibited. If you
> have received this
message in error, please immediately notify the sender by
> reply e-mail and
permanently delete this message and its attachments, along
> with any copies
thereof. If this electronic message contains a zipped
> attachment and you do
not have a decompression tool, you may download unZIP
> (free of cost)
> from:
http://www.mk-net-work.com/us/uz/unzip.htm.
> Alternatively, you may request
that the attachment be resent in an
> uncompressed format. Thank you.
>
************************************************************************

>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list