Snort mailing list archives
Re: Alerts where source and destination addresses equal 0.0.0.0
From: Cyrille Bollu <cyrille.bollu () gmail com>
Date: Fri, 24 Jan 2014 15:40:15 +0100
Should you know all the crap that's in my company's wires... On Fri, Jan 24, 2014 at 1:02 PM, James Lay <jlay () slave-tothe-box net> wrote:
On Fri, 2014-01-24 at 08:56 +0100, Cyrille Bollu wrote: Hi, On my installation, I've a lot of alerts 2002023-2002028 whose source and destination IP addresses equal 0.0.0.0. I've googled about this on Internet, but couldn't really pinpoint what's going on. Do any of you have a clue? And, how could I prevent from being alerted for such events? I've tried filtering them (eg: !0.0.0.0 -> any 6666:7000), but it didn't seem to work. Thanks for any help. Cyrille ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing listSnort-sigs@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/snort-sigshttp://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! You can add them to your threshold.conf file: suppress gen_id 1, sig_id 2002023, track by_src, ip 0.0.0.0 You'd have to add the above for eash sig. But seeing as those are IRC ports, I'd suggest something nefarious is going on. James ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Alerts where source and destination addresses equal 0.0.0.0 Cyrille Bollu (Jan 24)
- Re: Alerts where source and destination addresses equal 0.0.0.0 James Lay (Jan 24)
- Re: Alerts where source and destination addresses equal 0.0.0.0 Cyrille Bollu (Jan 24)
- Re: Alerts where source and destination addresses equal 0.0.0.0 waldo kitty (Jan 24)
- Re: Alerts where source and destination addresses equal 0.0.0.0 James Lay (Jan 24)