Snort mailing list archives
RE: Source IP 173.80.0.0 [revisited], bug?
From: "Fred McFeeters" <nfolink () hotmail com>
Date: Tue, 2 Mar 2004 21:55:38 -0600
A lot of broadband providers commonly scan there network. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ed Sent: Tuesday, March 02, 2004 2:03 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Source IP 173.80.0.0 [revisited], bug? Now that I finally had some time, I went back and did some packet captures with ethereal for this traffic on my cable Internet connection. All of the packets were the same, local broadcast traffic with invalid IP 4 headers. I'm kinda curious why Snort always thinks the source IP is 173.80.0.0 This MAC is never in my ARP table. At the same time, this MAC is the only one I've captured doing ARP requests on the network. Oddly enough, all of the requests are for different IP ranges (all belonging to my cable provider though, according to WHOIS). Either they (the cable provider) are running multiple IP ranges on the same network, possible, but kinda stupid if you ask me, or someone is sending a LOT of traffic they shouldn't be. Any other ideas? ethereal data below. <><><> Frame 849 (60 bytes on wire, 60 bytes captured) Arrival Time: Mar 2, 2004 10:07:32.601547000 Time delta from previous packet: 3.387634000 seconds Time since reference or first frame: 216.851699000 seconds Frame Number: 849 Packet Length: 60 bytes Capture Length: 60 bytes Ethernet II, Src: 00:30:b8:01:ad:50, Dst: ff:ff:ff:ff:ff:ff Destination: ff:ff:ff:ff:ff:ff (Broadcast) Source: 00:30:b8:01:ad:50 (Riverdel_01:ad:50) Type: IP (0x0800) Internet Protocol Version: 0 Header length: 0 bytes (bogus, must be at least 20) 0000 ff ff ff ff ff ff 00 30 b8 01 ad 50 08 00 00 01 .......0...P.... 0010 08 00 06 04 00 01 00 30 b8 01 ad 50 00 00 00 00 .......0...P.... 0020 00 00 00 00 00 00 cf 0c aa 03 dd 3b 7a 1a 00 1f ...........;z... 0030 00 00 45 00 00 28 47 4e 40 00 80 06 ..E..(GN@... <><><> -Ed ----- Original Message ----- From: "ypwhich" <ypwhich () paunix org> To: <snort-users () lists sourceforge net> Sent: Monday, February 23, 2004 4:04 PM Subject: Re: [Snort-users] Source IP 173.80.0.0
Ed, While not 100% certain, what you're receiving sounds like a multicast. Probably from your ISP. Perhaps run a sniffer which would provide more information. -ypwhich On Sun, 22 Feb 2004, Ed wrote:Date: Sun, 22 Feb 2004 14:52:54 -0500 From: Ed <ed () eddo net> To: snort-users () lists sourceforge net Subject: [Snort-users] Source IP 173.80.0.0 Greetings - Has anyone ran into seeing tons of traffic from this IP? I setup snort
on my redhat box acting as
a my router for my cable modem. I see TONS of traffic from 173.80.0.0
to 0.0.0.0 The signature
lists as "snort\_decoder) WARNING: Not IPv4 datagram!", Layer 4
Protocol: 48
I've seen about 5000 packets in the past 8 hours. WHOIS informaion
shows as being IANA Reserved...
http://ws.arin.net/cgi-bin/whois.pl?queryinput=173.80.0.0------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Source IP 173.80.0.0 Ed (Feb 22)
- Re: Source IP 173.80.0.0 ypwhich (Feb 24)
- Re: Source IP 173.80.0.0 [revisited], bug? Ed (Mar 02)
- RE: Source IP 173.80.0.0 [revisited], bug? Fred McFeeters (Mar 02)
- Re: Source IP 173.80.0.0 [revisited], bug? ypwhich (Mar 02)
- Re: Source IP 173.80.0.0 [revisited], bug? Ed (Mar 02)
- Re: Source IP 173.80.0.0 ypwhich (Feb 24)