Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Please help with this strangeness

From: Erek Adams <erek () snort org>
Date: Thu, 15 Jan 2004 07:25:49 -0500 (EST)
On Thu, 15 Jan 2004, Michael Thompson wrote:


I was going through all my security logs today and I noticed something
a little odd, and wonderd if anyone could offer any insight? I am not
that good at detailed security!

I have a IPBlock assigned from my ISP, where 81.174.224.68 to
81.174.224.70.

As I understand it, 68 is a broadcast address, 69 is assigned to the
router, 70 is for a server, which I dont use at the present time.


Actually, that breaks down like this:

[erek@foofus]~>ipcalc 81.174.224.68/30
IP address          81   .  174   .  224   .   68    / 30
81.174.224.68/30
Netmask bits     11111111 11111111 11111111 11111100
Netmask bytes      255   .  255   .  255   .  252          255.255.255.252
Address bits     01010001 10101110 11100000 01000100
Network             81   .  174   .  224   .   68          81.174.224.68
Broadcast           81   .  174   .  224   .   71          81.174.224.71
First Host          81   .  174   .  224   .   69          81.174.224.69
Last Host           81   .  174   .  224   .   70          81.174.224.70
Total Hosts      2
PTR              68.224.174.81.in-addr.arpa
IP Address (hex) 51AEE044

So, .68 is your "network address" and .71 is the "broadcast".  You can use
.69 and .70 as hosts.


Now, in my snort logs, which is connected to the outside of the
firewall I get the following logs..

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.625784 81.174.224.69 -> 81.174.224.70
ICMP TTL:111 TOS:0xA0 ID:45600 IpLen:20 DgmLen:92
Type:8  Code:0  ID:512   Seq:52213  ECHO
[Xref => http://www.whitehats.com/info/IDS154]

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.641759 81.174.224.69 -> 81.174.224.68
ICMP TTL:110 TOS:0xA0 ID:45598 IpLen:20 DgmLen:92
Type:8  Code:0  ID:512   Seq:51701  ECHO
[Xref => http://www.whitehats.com/info/IDS154]

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.642071 81.174.224.69 -> 81.174.224.70
ICMP TTL:110 TOS:0xA0 ID:45600 IpLen:20 DgmLen:92
Type:8  Code:0  ID:512   Seq:52213  ECHO
[Xref => http://www.whitehats.com/info/IDS154]

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.649566 81.174.224.69 -> 81.174.224.71
ICMP TTL:111 TOS:0xA0 ID:45601 IpLen:20 DgmLen:92
Type:8  Code:0  ID:512   Seq:52469  ECHO
[Xref => http://www.whitehats.com/info/IDS154]

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.665945 81.174.224.69 -> 81.174.224.71
ICMP TTL:110 TOS:0xA0 ID:45601 IpLen:20 DgmLen:92
Type:8  Code:0  ID:512   Seq:52469  ECHO
[Xref => http://www.whitehats.com/info/IDS154]


Now, I thought of welchia or one of its many variants, and all
machines are clean, the DHCP records show only one machine on the
network connected mostly, thats my machine. It's clean.

What could be causing these broadcasts? Any one have any ideas?


Look at the real packet.  The full alerts show you the basic info, but
they don't show you the real pakcet.  You'll need to log in a binary
format (tcpdump/pcap) and post process to have a look at that.

I'm going to guess that if you really break down things, and have a look
at the MAC's involved, you'll see that your 'router' is repeating these
welchia pings from other machines on your ISP's network.  But then again,
that's a guess.  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: