Snort mailing list archives
Re: Strange portscan traffic with dest of 169.254.x.x
From: Aaron Giuoco <agiuoco () yahoo com>
Date: Mon, 25 Feb 2008 14:13:51 -0800 (PST)
True. But it is unusual to see so much traffic from 169.254 leaving a computer that already has a network connection. I haven't been able to confirm whether the packets are related to ActiveSync like Paul mentioned. Thanks for the replies. I'll try to confirm whether or not ActiveSync is being used on these PCs or not and post back. AG ----- Original Message ---- From: CunningPike <cunningpike () gmail com> To: snort-users () lists sourceforge net Sent: Monday, February 25, 2008 3:33:02 PM Subject: Re: [Snort-users] Strange portscan traffic with dest of 169.254.x.x Directly from RFC3330: "169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link. Hosts obtain these addresses by auto-configuration, such as when a DHCP server may not be found." Why would a netblock that's not part of your internal network NOT get routed to your external firewall/router? Whether your router actually passes that traffic is another matter. CP Aaron Giuoco wrote:
For the past couple of days, I have been seeing some very strange portscan traffic coming from internal addresses and going to the internet. The Snort box I have been getting these alerts on is sitting just behind our Internet firewall. I have attached a screenshot of the alert. It's odd for a couple reasons. First, why is 169.254 traffic even getting routed to our external firewall. This is probably something I need to discuss with our network admin. That just seems weird to me. Second, if I am reading the alert correctly, it looks like the computer is scanning itself for NetBIOS and SMB ports. I was just wondering if anyone else has seen anything like this. AG ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ------------------------------------------------------------------------ ------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange portscan traffic with dest of 169.254.x.x Aaron Giuoco (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x Paul Melson (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x CunningPike (Feb 25)
- <Possible follow-ups>
- Re: Strange portscan traffic with dest of 169.254.x.x Aaron Giuoco (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x dhottinger (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x Joel Esler (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x dhottinger (Feb 25)
- Re: Strange portscan traffic with dest of 169.254.x.x Aaron Giuoco (Feb 26)