[Snort-users] IP recognition

waldo kitty wkitty42 at ...14940...
Fri Jul 19 12:52:12 EDT 2013


On 7/19/2013 05:18, Mayur Patil wrote:
> Hello,
>
>      I am unable to recognize the IP when I run snort in NIDS mode.
>
> *192.168.10.121:56333 -> 224.0.0.252:5355* UDP TTL:1 TOS:0x0 ID:18058 IpLen:20 DgmLen:50
>      =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>      07/19-14:45:25.191751 00:22:19:06:B9:1C -> FF:FF:FF:FF:FF:FF type:0x800 len:0x5C
> *10.1.11.172:137 -> 10.1.11.255:137* UDP TTL:128 TOS:0x0 ID:15751 IpLen:20 DgmLen:78
>      +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>      07/19-14:45:25.194146 B8:AC:6F:45:F8:23 -> FF:FF:FF:FF:FF:FF type:0x800 len:0xF3
> *10.1.47.230:138 -> 10.1.47.255:138* UDP TTL:128 TOS:0x0 ID:5740 IpLen:20 DgmLen:229
>
>       My admin says it is from other IP range within proxy then why they are
> bombarding on my system unintentionally ??

they are not "bombarding" your system... they are broadcasts...

the 224.0.0.252 address is a multicast address... see the following link for 
more information... http://en.wikipedia.org/wiki/Multicast_address then find the 
252 one in the chart and follow that link for more specific info on that 
particular entry...

the ones to 10.1.11.255 are specifically NETBIOS/NETBEUI queries to see what 
samba/windows_networking clients are active so they can be shows in the network 
neighborhood type displays... they also have elections between them to decide 
which will be the "browse master" and tell the others what machines are active 
and where they are located (ip)...

>      How to stop them from interacting my system?

you cannot stop them... the best you could do would be to firewall your machine 
from them... one might do this by blocking all traffic to 10.1.11.255 but this 
may very easily break other stuff you desire to work... one might block traffic 
to/from ports 137, 138 and 445 but again, that might break other stuff that you 
desire to work...


it is amazing what one starts to find when one starts looking at the network 
traffic one's machine is really transmitting/receiving, isn't it? i remember 
when many folks switched from single-task DOS to multitask networking capable 
windows and how they were always asking why is the light on the 
hub/switch/router blinking when i'm not doing anything... same with the HD light 
on the computer case... just because a human isn't doing something doesn't mean 
that the computer isn't talking to something else or performing some system 
maintenance ;)


>
>       Any hints !!
>
>       Seeking for guidance,
>
>       Thanks !!



-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list