Snort mailing list archives
Re: Strange portscan traffic with dest of 169.254.x.x
From: Aaron Giuoco <agiuoco () yahoo com>
Date: Tue, 26 Feb 2008 06:08:37 -0800 (PST)
Thanks for all of the comments. I'm thinking about just suppressing those alerts to the 169.254.0.0/16 range. The other strange thing about this that, something I failed to mention in my original post, is the volume of these alerts. It's not consistent across all of the machines. Usually, there will be just one or two boxes out there that generate 300-400 of these types of alerts over a 24-hour period. The next closest machine is usually generating between 20 and 50 alerts. Then everything returns to normal. For that reason, I think it might be something installed on those specific computers that is generating all of that traffic. The traffic is probably harmless, but now I'm curious. So I'm off to chase the wild goose! :-) AG ----- Original Message ---- From: Joel Esler <joel.esler () sourcefire com> To: dhottinger () harrisonburg k12 va us Cc: snort-users () lists sourceforge net Sent: Monday, February 25, 2008 5:02:04 PM Subject: Re: [Snort-users] Strange portscan traffic with dest of 169.254.x.x CunningPike had it right. When your machines can't find an IP (via DHCP, or whatever), they default to the 169.254.x.x range. Since your machines were contacting ports 139:445, I am willing to bet that it's a Windows machine plugged into the network somewhere, (on the same broadcast domain as your Snort sensor), and can't DHCP itself for whatever reason. My suggest is that you use Snort in sniffer mode like #snort -vde 'net 169.254.x.x' look at the mac addresses. See if that helps you out any. Assigning these IPs should be the default behavior of both Windows and OSX. Joel On Feb 25, 2008, at 5:47 PM, dhottinger () harrisonburg k12 va us wrote:
Quoting Aaron Giuoco <agiuoco () yahoo com>:True. But it is unusual to see so much traffic from 169.254 leaving a computer that already has a network connection. I haven't been able to confirm whether the packets are related to ActiveSync like Paul mentioned. Thanks for the replies. I'll try to confirm whether or not ActiveSync is being used on these PCs or not and post back. AGI missed part of this post. However, I see lots of 169 traffic from my apple 10.4, 10.5 computers. I think they use it for bonjour or entourage, which is a way to find printers, and other network resources. -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools "Everything should be made as simple as possible, but not simpler." -- Albert Einstein ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler joel.esler () sourcefire com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange portscan traffic with dest of 169.254.x.x Aaron Giuoco (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x Paul Melson (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x CunningPike (Feb 25)
- <Possible follow-ups>
- Re: Strange portscan traffic with dest of 169.254.x.x Aaron Giuoco (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x dhottinger (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x Joel Esler (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x dhottinger (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x Aaron Giuoco (Feb 26)