Snort mailing list archives

Re: Alerts where source and destination addresses equal 0.0.0.0

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 24 Jan 2014 11:06:13 -0500

On 1/24/2014 7:02 AM, James Lay wrote:

You can add them to your threshold.conf file:

suppress gen_id 1, sig_id 2002023, track by_src, ip 0.0.0.0

You'd have to add the above for eash sig.  But seeing as those are IRC ports,
I'd suggest something nefarious is going on.


agreed... especially given the following...

NetRange:       0.0.0.0 - 0.255.255.255
CIDR:           0.0.0.0/8
OriginAS:
NetName:        SPECIAL-IPV4-LOCAL-ID-IANA-RESERVED
NetHandle:      NET-0-0-0-0-1
Parent:
NetType:        IANA Special Use
Comment:        The address 0.0.0.0 may only be used as the address of an
                 outgoing packet when a computer is learning which IP address
                 it should use.  It is never used as a destination address.
                 Addresses starting with "0." are sometimes used for broadcasts
                 to directly connected devices.
Comment:
Comment:        If you see addresses starting with a "0." in logs they are
                 probably in use on your network, which might be as small as a
                 computer connected to a home gateway.
Comment:
Comment:        This block was assigned by the IETF, the organization that
                 develops Internet protocols, in the Standard document, RFC
                 1122, and is further documented in the Best Current Practice
                 document RFC 6890.  IANA is listed as the registrant to make it
                 clear that this network is not assigned to any single
                 organization.
Comment:
Comment:        These documents can be found at:
Comment:        http://datatracker.ietf.org/doc/rfc1122
Comment:        http://datatracker.ietf.org/doc/rfc6890
RegDate:
Updated:        2013-08-30
Ref:            http://whois.arin.net/rest/net/NET-0-0-0-0-1


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Alerts where source and destination addresses equal 0.0.0.0 Cyrille Bollu (Jan 24)
- Re: Alerts where source and destination addresses equal 0.0.0.0 James Lay (Jan 24)
  - Re: Alerts where source and destination addresses equal 0.0.0.0 Cyrille Bollu (Jan 24)
  - Re: Alerts where source and destination addresses equal 0.0.0.0 waldo kitty (Jan 24)