Re: Alerts where source and destination addresses equal 0.0.0.0

[Cyrille Bollu <cyrille.bollu () gmail com>]

Should you know all the crap that's in my company's wires...


On Fri, Jan 24, 2014 at 1:02 PM, James Lay <jlay () slave-tothe-box net> wrote:

>  On Fri, 2014-01-24 at 08:56 +0100, Cyrille Bollu wrote:
>
> Hi,
>
>
>  On my installation, I've a lot of alerts 2002023-2002028 whose source
> and destination IP addresses equal 0.0.0.0.
>
>
>  I've googled about this on Internet, but couldn't really pinpoint what's
> going on.
>
>
>  Do any of you have a clue?
>
>
>  And, how could I prevent from being alerted for such events? I've tried
> filtering them (eg: !0.0.0.0 -> any 6666:7000), but it didn't seem to work.
>
>
>  Thanks for any help.
>
>
>  Cyrille
>
>  ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing 
> listSnort-sigs@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/snort-sigshttp://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
> You can add them to your threshold.conf file:
>
> suppress gen_id 1, sig_id 2002023, track by_src, ip 0.0.0.0
>
> You'd have to add the above for eash sig.  But seeing as those are IRC
> ports, I'd suggest something nefarious is going on.
>
> James
>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!