Snort mailing list archives
Re: MY SNORT DETECT only one IP: 0.0.0.0:68 UDP
From: Carlos Rodriguez Hernandez <crodriguezh.ext () redborder com>
Date: Mon, 22 Feb 2016 17:24:51 +0100
Hello Saulo, Typically this traffic is related to normal DHCP operation and is not an attack on your network. DHCP (Dynamic Host Configuration Protocol) is how your computer gets its unique IP address. When a system starts up on a network it must first request an IP address (assume it is not using a static IP address), and it does this by broadcasting a request to the DHCP server: UDP 0.0.0.0:68 -> 255.255.255.255:67 since the requesting system doesn't have an IP address (why it is asking) it uses 0.0.0.0 and since its new to the network it doesn't know where the DHCP server is, so it broadcasts the request to the entire networ 2016-02-22 15:53 GMT+01:00 <snort-users-request () lists sourceforge net>:
Message: 1 Date: Fri, 19 Feb 2016 15:57:14 -0200 From: Saulo Fernandes <sauloitu () gmail com> Subject: [Snort-users] MY SNORT DETECT only one IP: 0.0.0.0:68 UDP. To: snort-users () lists sourceforge net Message-ID: <CAJaY=_Z_NG9Dr0EKB9G3jL1EwZUOE8qhivOQs40mDO= vj+D1pQ () mail gmail com> Content-Type: text/plain; charset="utf-8" Hello, I'm new here in this forum, and also with new Snort. Installed the Snort-mysql + Base here on the company network, but for some reason, the Snort just shows that IP: 0.0.0.0:68 UDP as shown below in the log. The strange thing is that my IP range is 10.10.10.1 to 10.10.10.126 with mask 255.255.255.128 and still Snort is detecting this 0.0.0.0:68 sending, alert log snort [**] [1:527:8] BAD-TRAFFIC same SRC/DST [**][Classification: Potentially Bad Traffic] [Priority: 2] 02/19-12:31:57.762519 0.0.0.0:68 -> 255.255.255.255:67 UDP TTL:64 TOS:0x0 ID:30729 IpLen:20 DgmLen:328Len: 300
-- Carlos Rodríguez C Developer crodriguezh.ext () redborder com +34 609477932 <+34609477932> | +34 955 601 160 <+34955601160> <https://twitter.com/redborder> <https://www.linkedin.com/company/redborder> <https://github.com/redBorder> <https://plus.google.com/u/0/b/115823750653188478256/+RedborderNet_net> SAN FRANCISCO - SEVILLE - MADRID This email, including attachments, is intended exclusively for its addressee. It contains information that is CONFIDENTIAL whose disclosure is prohibited by law and may be covered by legal privilege. If you have received this email in error, please notify the sender and delete it from your system. Este correo electrónico, incluidos sus anexos, se dirige exclusivamente a su destinatario. Contiene información CONFIDENCIAL cuya divulgación está prohibida por la ley o puede estar sometida a secreto profesional. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente y proceda a su destrucción.
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: MY SNORT DETECT only one IP: 0.0.0.0:68 UDP Carlos Rodriguez Hernandez (Feb 22)