[Snort-users] MY SNORT DETECT only one IP: 0.0.0.0:68 UDP

Carlos Rodriguez Hernandez crodriguezh.ext at ...17466...
Mon Feb 22 11:24:51 EST 2016


Hello Saulo,

Typically this traffic is related to normal DHCP operation and is not an
attack on your network.  DHCP (Dynamic Host Configuration Protocol) is how
your computer gets its unique IP address.  When a system starts up on a
network it must first request an IP address (assume it is not using a
static IP address), and it does this by broadcasting a request to the DHCP
server:

UDP 0.0.0.0:68 -> 255.255.255.255:67

since the requesting system doesn't have an IP address (why it is asking)
it uses 0.0.0.0 and since its new to the network it doesn't know where the
DHCP server is, so it broadcasts the request to the entire networ

2016-02-22 15:53 GMT+01:00 <snort-users-request at lists.sourceforge.net>:
>
> Message: 1
> Date: Fri, 19 Feb 2016 15:57:14 -0200
> From: Saulo Fernandes <sauloitu at ...11827...>
> Subject: [Snort-users] MY SNORT DETECT only one IP: 0.0.0.0:68 UDP.
> To: snort-users at lists.sourceforge.net
> Message-ID:
>         <CAJaY=_Z_NG9Dr0EKB9G3jL1EwZUOE8qhivOQs40mDO=
> vj+D1pQ at ...11828...>
> Content-Type: text/plain; charset="utf-8"
>
> Hello, I'm new here in this forum, and also with new Snort.
> Installed the Snort-mysql + Base here on the company network, but for some
> reason, the Snort just shows that IP: 0.0.0.0:68 UDP as shown below in the
> log.
> The strange thing is that my IP range is 10.10.10.1 to 10.10.10.126 with
> mask 255.255.255.128 and still Snort is detecting this 0.0.0.0:68
>
>
>
>
> sending, alert log snort
>
> [**] [1:527:8] BAD-TRAFFIC same SRC/DST [**][Classification:
> Potentially Bad Traffic] [Priority: 2] 02/19-12:31:57.762519
> 0.0.0.0:68 -> 255.255.255.255:67
> UDP TTL:64 TOS:0x0 ID:30729 IpLen:20 DgmLen:328Len: 300
>


-- 
Carlos Rodríguez

C Developer
crodriguezh.ext at ...17466...

+34 609477932 <+34609477932> | +34 955 601 160 <+34955601160>
<https://twitter.com/redborder> <https://www.linkedin.com/company/redborder>
<https://github.com/redBorder>
<https://plus.google.com/u/0/b/115823750653188478256/+RedborderNet_net>
SAN FRANCISCO - SEVILLE - MADRID

This email, including attachments, is intended exclusively for its
addressee. It contains information that is CONFIDENTIAL whose disclosure is
prohibited by law and may be covered by legal privilege. If you have
received this email in error, please notify the sender and delete it from
your system.

Este correo electrónico, incluidos sus anexos, se dirige exclusivamente a
su destinatario. Contiene información CONFIDENCIAL cuya divulgación está
prohibida por la ley o puede estar sometida a secreto profesional. Si ha
recibido este mensaje por error, le rogamos nos lo comunique inmediatamente
y proceda a su destrucción.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160222/a3eef6d1/attachment.html>


More information about the Snort-users mailing list