Snort mailing list archives
Re: Please help with this strangeness
From: Erek Adams <erek () snort org>
Date: Thu, 15 Jan 2004 07:25:49 -0500 (EST)
On Thu, 15 Jan 2004, Michael Thompson wrote:
I was going through all my security logs today and I noticed something a little odd, and wonderd if anyone could offer any insight? I am not that good at detailed security! I have a IPBlock assigned from my ISP, where 81.174.224.68 to 81.174.224.70. As I understand it, 68 is a broadcast address, 69 is assigned to the router, 70 is for a server, which I dont use at the present time.
Actually, that breaks down like this: [erek@foofus]~>ipcalc 81.174.224.68/30 IP address 81 . 174 . 224 . 68 / 30 81.174.224.68/30 Netmask bits 11111111 11111111 11111111 11111100 Netmask bytes 255 . 255 . 255 . 252 255.255.255.252 Address bits 01010001 10101110 11100000 01000100 Network 81 . 174 . 224 . 68 81.174.224.68 Broadcast 81 . 174 . 224 . 71 81.174.224.71 First Host 81 . 174 . 224 . 69 81.174.224.69 Last Host 81 . 174 . 224 . 70 81.174.224.70 Total Hosts 2 PTR 68.224.174.81.in-addr.arpa IP Address (hex) 51AEE044 So, .68 is your "network address" and .71 is the "broadcast". You can use .69 and .70 as hosts.
Now, in my snort logs, which is connected to the outside of the firewall I get the following logs.. [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 01/15-02:49:35.625784 81.174.224.69 -> 81.174.224.70 ICMP TTL:111 TOS:0xA0 ID:45600 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:52213 ECHO [Xref => http://www.whitehats.com/info/IDS154] [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 01/15-02:49:35.641759 81.174.224.69 -> 81.174.224.68 ICMP TTL:110 TOS:0xA0 ID:45598 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:51701 ECHO [Xref => http://www.whitehats.com/info/IDS154] [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 01/15-02:49:35.642071 81.174.224.69 -> 81.174.224.70 ICMP TTL:110 TOS:0xA0 ID:45600 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:52213 ECHO [Xref => http://www.whitehats.com/info/IDS154] [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 01/15-02:49:35.649566 81.174.224.69 -> 81.174.224.71 ICMP TTL:111 TOS:0xA0 ID:45601 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:52469 ECHO [Xref => http://www.whitehats.com/info/IDS154] [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 01/15-02:49:35.665945 81.174.224.69 -> 81.174.224.71 ICMP TTL:110 TOS:0xA0 ID:45601 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:52469 ECHO [Xref => http://www.whitehats.com/info/IDS154] Now, I thought of welchia or one of its many variants, and all machines are clean, the DHCP records show only one machine on the network connected mostly, thats my machine. It's clean. What could be causing these broadcasts? Any one have any ideas?
Look at the real packet. The full alerts show you the basic info, but they don't show you the real pakcet. You'll need to log in a binary format (tcpdump/pcap) and post process to have a look at that. I'm going to guess that if you really break down things, and have a look at the MAC's involved, you'll see that your 'router' is repeating these welchia pings from other machines on your ISP's network. But then again, that's a guess. :) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Please help with this strangeness Michael Thompson (Jan 14)
- Re: Please help with this strangeness Erek Adams (Jan 15)