Snort mailing list archives

Re: portscans from 255.255.255.255?

From: Matt Kettler <mkettler () EVI-INC COM>
Date: Thu, 30 Jan 2003 16:34:52 -0500

This is likely to be the Q backdoor.

It should be caught be the second of these two rules from backdoor.rules:

alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR SIGNATURE -Q ICMP";itype: 0; dsize: >1; reference:arachnids,202;sid:183; classtype:misc-activity; re

v:3;)

alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access";flags:A+;

dsize: >1;  reference:arachnids,203; sid:184;  classtype:misc-activity; rev:3;)

Note that it won't match a grep "255.255.255.255" but it will match a grep"255\.255\.255\."

( . is a wildcard to grep, I added the \'s to prevent the grep frommatching 255x255x255x instead of 255.255.255.)




At 12:39 PM 1/30/2003 -0800, twig les wrote:

Hey all, I have seriously debated whether I should
send this since it may or may not be off-topic; it's
just too bizarre to tell.  My border routers are
sysloging this:

bdr-acl-in denied tcp 255.255.255.255(80) ->
1.1.156.194(8118)

The acl is named correctly - these hits are coming
from the outside.  They hit random IPs in our range
like NMAP, and they always target a high port coming
from 80.  I would assume they are from a LAN upstream
since only routers doing stupid things forward
broadcasts.  The implications of this coming from our
upstream provider are quite large since we peer via
dual /30s.

It isn't crucial to my security (we don't let those
shenanigans in the border), but does snort see this as
bad traffic?  I did a quick "grep 255.255.255.255 *"
in the snortrules dir and only came up with a couple
of snmp rules.  I would like to know if I should write
a rule for this since I only caught this by accident
this time.


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

portscans from 255.255.255.255? twig les (Jan 30)
- Re: portscans from 255.255.255.255? Sam Evans (Jan 30)
- Re: portscans from 255.255.255.255? Gary Flynn (Jan 30)
- Re: portscans from 255.255.255.255? Matt Kettler (Jan 30)
- <Possible follow-ups>
- RE: portscans from 255.255.255.255? larosa, vjay (Jan 30)