Snort mailing list archives

Previous By Date Next
Previous By Thread Next

IP addresses beginning with zero?

From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Wed, 13 Mar 2002 16:40:06 -0500

In my Snort (1.9dev) server logs I occasionally see UDP packets from several
internal NT servers destined for IP addresses where the first octet is zero
such as 0.0.0.10 and 0.0.0.172. Source and destination ports are always 137
and the packet contents appear to be normal Netbios over IP stuff. It
happens only maybe 3 to 6 times per day and I have been trying to research
why this is happening so as to rule out any security issues such as a trojan
horse or some other illicit code communicating on the network. THe
interesting thing is if I look at the MAC addresses the packets are destined
for when sent to these IP addresses beginning with zero, the MAC address is
always points to our internal firewall interface.

Some examples:
NTserver1:137     -> 0.0.0.172:137

NTserver2:137     -> 172.0.0.17:137

NTserver3:137     -> 0.0.0.10:137     

Some traces with MAC address info:
[**] [1:0:0] UDP to 0.0.0.172 [**]
03/11-20:37:22.297425 0:8:C7:E6:26:D8 -> 0:D0:B7:3D:9B:AE type:0x800
len:0x5C
NTServer1:137 -> 0.0.0.172:137 UDP TTL:128 TOS:0x0 ID:21003 IpLen:20
DgmLen:78
Len: 58

[**] [1:0:0] UDP to 0.0.0.10 [**]
03/11-20:37:48.225007 0:8:C7:E6:26:D8 -> 0:D0:B7:3D:9B:AE type:0x800
len:0x5C
NTServer1:137 -> 0.0.0.10:137 UDP TTL:128 TOS:0x0 ID:34063 IpLen:20
DgmLen:78
Len: 58

[**] [1:0:0] UDP to 172.0.0.17 [**]
03/11-21:22:07.738358 0:8:C7:E6:26:D8 -> 0:D0:B7:3D:9B:AE type:0x800
len:0x5C
NTServer1:137 -> 172.0.0.17:137 UDP TTL:128 TOS:0x0 ID:28172 IpLen:20
DgmLen:78
Len: 58

I came across only one site on the Internet that mentioned the following:

"0 <IP addresses beginning with 0>: These are reserved for computers that do
not know their address. For example, 0.0.0.10 would be a computer that only
knew it was host 10 on an unknown network."

I can find no other information on IP addresses where the first octet is
zero. I was curious if anyone else has come across packets on their network
destined for IP addresses beginning with 0, and if you might have any other
information on this.


Thanks!

Paul Sheahan
Manager of Information Security
Priceline.com
paul.sheahan () priceline com



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: