[Snort-users] IP recognition

Mayur Patil ram.nath241089 at ...11827...
Fri Jul 19 13:01:52 EDT 2013


Hi Waldo,

     Got it.

     Thanks for the satisfactory explanation.

     Lesson : Don't interrupt if that is not interrupting you !!

-- 
*Cheers,
Mayur*.

On Fri, Jul 19, 2013 at 10:22 PM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 7/19/2013 05:18, Mayur Patil wrote:
> > Hello,
> >
> >      I am unable to recognize the IP when I run snort in NIDS mode.
> >
> > *192.168.10.121:56333 -> 224.0.0.252:5355* UDP TTL:1 TOS:0x0 ID:18058
> IpLen:20 DgmLen:50
> >
>  =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> >      07/19-14:45:25.191751 00:22:19:06:B9:1C -> FF:FF:FF:FF:FF:FF
> type:0x800 len:0x5C
> > *10.1.11.172:137 -> 10.1.11.255:137* UDP TTL:128 TOS:0x0 ID:15751
> IpLen:20 DgmLen:78
> >
>  +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> >      07/19-14:45:25.194146 B8:AC:6F:45:F8:23 -> FF:FF:FF:FF:FF:FF
> type:0x800 len:0xF3
> > *10.1.47.230:138 -> 10.1.47.255:138* UDP TTL:128 TOS:0x0 ID:5740
> IpLen:20 DgmLen:229
> >
> >       My admin says it is from other IP range within proxy then why they
> are
> > bombarding on my system unintentionally ??
>
> they are not "bombarding" your system... they are broadcasts...
>
> the 224.0.0.252 address is a multicast address... see the following link
> for
> more information... http://en.wikipedia.org/wiki/Multicast_address then
> find the
> 252 one in the chart and follow that link for more specific info on that
> particular entry...
>
> the ones to 10.1.11.255 are specifically NETBIOS/NETBEUI queries to see
> what
> samba/windows_networking clients are active so they can be shows in the
> network
> neighborhood type displays... they also have elections between them to
> decide
> which will be the "browse master" and tell the others what machines are
> active
> and where they are located (ip)...
>
> >      How to stop them from interacting my system?
>
> you cannot stop them... the best you could do would be to firewall your
> machine
> from them... one might do this by blocking all traffic to 10.1.11.255 but
> this
> may very easily break other stuff you desire to work... one might block
> traffic
> to/from ports 137, 138 and 445 but again, that might break other stuff
> that you
> desire to work...
>
>
> it is amazing what one starts to find when one starts looking at the
> network
> traffic one's machine is really transmitting/receiving, isn't it? i
> remember
> when many folks switched from single-task DOS to multitask networking
> capable
> windows and how they were always asking why is the light on the
> hub/switch/router blinking when i'm not doing anything... same with the HD
> light
> on the computer case... just because a human isn't doing something doesn't
> mean
> that the computer isn't talking to something else or performing some system
> maintenance ;)
>
>
> >
> >       Any hints !!
> >
> >       Seeking for guidance,
> >
> >       Thanks !!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130719/3cd13425/attachment.html>


More information about the Snort-users mailing list