![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: portscans from 255.255.255.255?
From: Matt Kettler <mkettler () EVI-INC COM>
Date: Thu, 30 Jan 2003 16:34:52 -0500
This is likely to be the Q backdoor. It should be caught be the second of these two rules from backdoor.rules:alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - Q ICMP"; itype: 0; dsize: >1; reference:arachnids,202; sid:183; classtype:misc-activity; re
v:3;)alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; flags:A+;
dsize: >1; reference:arachnids,203; sid:184; classtype:misc-activity; rev:3;)Note that it won't match a grep "255.255.255.255" but it will match a grep "255\.255\.255\."
( . is a wildcard to grep, I added the \'s to prevent the grep from matching 255x255x255x instead of 255.255.255.)
At 12:39 PM 1/30/2003 -0800, twig les wrote:
Hey all, I have seriously debated whether I should send this since it may or may not be off-topic; it's just too bizarre to tell. My border routers are sysloging this: bdr-acl-in denied tcp 255.255.255.255(80) -> 1.1.156.194(8118) The acl is named correctly - these hits are coming from the outside. They hit random IPs in our range like NMAP, and they always target a high port coming from 80. I would assume they are from a LAN upstream since only routers doing stupid things forward broadcasts. The implications of this coming from our upstream provider are quite large since we peer via dual /30s. It isn't crucial to my security (we don't let those shenanigans in the border), but does snort see this as bad traffic? I did a quick "grep 255.255.255.255 *" in the snortrules dir and only came up with a couple of snmp rules. I would like to know if I should write a rule for this since I only caught this by accident this time. ===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscans from 255.255.255.255? twig les (Jan 30)
- Re: portscans from 255.255.255.255? Sam Evans (Jan 30)
- Re: portscans from 255.255.255.255? Gary Flynn (Jan 30)
- Re: portscans from 255.255.255.255? Matt Kettler (Jan 30)
- <Possible follow-ups>
- RE: portscans from 255.255.255.255? larosa, vjay (Jan 30)