Snort mailing list archives
Re: IP recognition
From: Mayur Patil <ram.nath241089 () gmail com>
Date: Fri, 19 Jul 2013 22:31:52 +0530
Hi Waldo, Got it. Thanks for the satisfactory explanation. Lesson : Don't interrupt if that is not interrupting you !! -- *Cheers, Mayur*. On Fri, Jul 19, 2013 at 10:22 PM, waldo kitty <wkitty42 () windstream net>wrote:
On 7/19/2013 05:18, Mayur Patil wrote:Hello, I am unable to recognize the IP when I run snort in NIDS mode. *192.168.10.121:56333 -> 224.0.0.252:5355* UDP TTL:1 TOS:0x0 ID:18058IpLen:20 DgmLen:50=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+07/19-14:45:25.191751 00:22:19:06:B9:1C -> FF:FF:FF:FF:FF:FFtype:0x800 len:0x5C*10.1.11.172:137 -> 10.1.11.255:137* UDP TTL:128 TOS:0x0 ID:15751IpLen:20 DgmLen:78+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+07/19-14:45:25.194146 B8:AC:6F:45:F8:23 -> FF:FF:FF:FF:FF:FFtype:0x800 len:0xF3*10.1.47.230:138 -> 10.1.47.255:138* UDP TTL:128 TOS:0x0 ID:5740IpLen:20 DgmLen:229My admin says it is from other IP range within proxy then why theyarebombarding on my system unintentionally ??they are not "bombarding" your system... they are broadcasts... the 224.0.0.252 address is a multicast address... see the following link for more information... http://en.wikipedia.org/wiki/Multicast_address then find the 252 one in the chart and follow that link for more specific info on that particular entry... the ones to 10.1.11.255 are specifically NETBIOS/NETBEUI queries to see what samba/windows_networking clients are active so they can be shows in the network neighborhood type displays... they also have elections between them to decide which will be the "browse master" and tell the others what machines are active and where they are located (ip)...How to stop them from interacting my system?you cannot stop them... the best you could do would be to firewall your machine from them... one might do this by blocking all traffic to 10.1.11.255 but this may very easily break other stuff you desire to work... one might block traffic to/from ports 137, 138 and 445 but again, that might break other stuff that you desire to work... it is amazing what one starts to find when one starts looking at the network traffic one's machine is really transmitting/receiving, isn't it? i remember when many folks switched from single-task DOS to multitask networking capable windows and how they were always asking why is the light on the hub/switch/router blinking when i'm not doing anything... same with the HD light on the computer case... just because a human isn't doing something doesn't mean that the computer isn't talking to something else or performing some system maintenance ;)Any hints !! Seeking for guidance, Thanks !!
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- IP recognition Mayur Patil (Jul 19)
- Re: IP recognition waldo kitty (Jul 19)
- Re: IP recognition Mayur Patil (Jul 19)
- Re: IP recognition waldo kitty (Jul 19)