Re: (no subject)

["Marc Quibell" <mquibell () fbfs com>]

Yes, I had suggested it was a router, since they were ICMP  "unreachable"
errors, and usually it's the routers responding. Is this a worm or something
randomly searching IPs for port 138? Sorry, I overlooked the fact that you had
destinations in the packets as well...

Maybe you can put on your Cisco routers "no ip directed broadcasts" and it will
help?

Marc





roesch () sourcefire com on 09/22/2003 02:48:24 PM

To:   "Edward Marshall" <edtech () tstt net tt>
cc:   Marc Quibell/FBFS@FBFS, snort-users () lists sourceforge net

Subject:  Re: [Snort-users] (no subject)



That looks like something responding on the broadcast to broadcast
netbios-dgm traffic, did you get the MAC address of the source side of
the packets?  Some device on the network is feeling empowered to answer
for  broadcast traffic....

      -Marty

On Thursday, September 18, 2003, at 09:22  PM, Edward Marshall wrote:

> Hi Marc, in response to your question on my problem (Broadcast
> addresses
> showing up as a source IP address??? 192.168.2.255 & 255.255.255.255),
> I
> have included in this email, 4 alert messages, as an example of what
> snort is detecting and logging in the log file called ALERT:
>
>
> [**] [117:1:1] (spp_portscan2) Portscan detected from 255.255.255.255:
> 6
> targets 6 ports in 45 seconds [**]
> 07/29-11:03:54.973312 255.255.255.255 -> 192.168.2.217
> ICMP TTL:64 TOS:0x0 ID:19157 IpLen:20 DgmLen:68
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 192.168.2.217:138 -> 255.255.255.255:138
> UDP TTL:255 TOS:0x0 ID:7551 IpLen:20 DgmLen:229
> Len: 201
> ** END OF DUMP
>
>
> [**] [117:1:1] (spp_portscan2) Portscan detected from 255.255.255.255:
> 6
> targets 6 ports in 79 seconds [**]
> 07/29-13:40:20.891202 255.255.255.255 -> 192.168.2.146
> ICMP TTL:64 TOS:0x0 ID:47418 IpLen:20 DgmLen:68
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 192.168.2.146:138 -> 255.255.255.255:138
> UDP TTL:255 TOS:0x0 ID:26601 IpLen:20 DgmLen:229
> Len: 201
> ** END OF DUMP
>
>
> [**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.2.255: 6
> targets 6 ports in 53 seconds [**]
> 07/29-09:55:31.003547 192.168.2.255 -> 192.168.2.55
> ICMP TTL:64 TOS:0x0 ID:34116 IpLen:20 DgmLen:68
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 192.168.2.55:138 -> 192.168.2.255:138
> UDP TTL:128 TOS:0x0 ID:8463 IpLen:20 DgmLen:229
> Len: 201
> ** END OF DUMP
>
>
> [**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.2.255: 6
> targets 6 ports in 34 seconds [**]
> 07/29-09:56:17.455466 192.168.2.255 -> 192.168.2.69
> ICMP TTL:64 TOS:0x0 ID:52213 IpLen:20 DgmLen:68
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 192.168.2.69:138 -> 192.168.2.255:138
> UDP TTL:32 TOS:0x0 ID:35585 IpLen:20 DgmLen:231
> Len: 203
> ** END OF DUMP
>
>
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Marc
> Quibell
> Sent: Thursday, September 18, 2003 9:51 AM
> To: snort-users () lists sourceforge net
> Cc: edtech () tstt net tt
> Subject: [Snort-users] (no subject)
>
>
>
> Broadcast addresses can't show up as a source. Must be your reporting
> is
> a
> little whacky...What are the destinations?
>
> Marc
>
> > Message: 2
> > From: "Edward Marshall" <edtech () tstt net tt>
> > To: <snort-users () lists sourceforge net>
> > Date: Thu, 18 Sep 2003 05:59:43 -0400
> > Subject: [Snort-users] Broadcast address???>
>
> > This is a multi-part message in MIME format.
>
> > ------=_NextPart_000_0001_01C37DAA.0F55F630
> > Content-Type: text/plain;
>      charset="us-ascii"
> > Content-Transfer-Encoding: 7bit
>
> > Hi Guys, after running Snort 2.0.1 on a corporate network
> 192.168.2.0/24
> > for a week, I used Sawmill to analyze the Snort log files (Alert,
> > Portscan.log and Scan.log).
> > I noticed that the following source IP addresses showed up
> 192.168.2.255
> > (with 6,296 hits) and 255.255.255.255 (with 626 hits). My question is,
> > isn't these two IP addresses - broadcast addresses???  How can a
> > broadcast address show up as a source IP address???
>
> > Any assistance would be greatly appreciated!!!
>
>
> > Thanks
>
> > Eddie
>
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org







-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users