Re: MY SNORT DETECT only one IP: 0.0.0.0:68 UDP

[Carlos Rodriguez Hernandez <crodriguezh.ext () redborder com>]

Hello Saulo,

Typically this traffic is related to normal DHCP operation and is not an
attack on your network.  DHCP (Dynamic Host Configuration Protocol) is how
your computer gets its unique IP address.  When a system starts up on a
network it must first request an IP address (assume it is not using a
static IP address), and it does this by broadcasting a request to the DHCP
server:

UDP 0.0.0.0:68 -> 255.255.255.255:67

since the requesting system doesn't have an IP address (why it is asking)
it uses 0.0.0.0 and since its new to the network it doesn't know where the
DHCP server is, so it broadcasts the request to the entire networ

2016-02-22 15:53 GMT+01:00 <snort-users-request () lists sourceforge net>:
> Message: 1
> Date: Fri, 19 Feb 2016 15:57:14 -0200
> From: Saulo Fernandes <sauloitu () gmail com>
> Subject: [Snort-users] MY SNORT DETECT only one IP: 0.0.0.0:68 UDP.
> To: snort-users () lists sourceforge net
> Message-ID:
>         <CAJaY=_Z_NG9Dr0EKB9G3jL1EwZUOE8qhivOQs40mDO=
> vj+D1pQ () mail gmail com>
> Content-Type: text/plain; charset="utf-8"
>
> Hello, I'm new here in this forum, and also with new Snort.
> Installed the Snort-mysql + Base here on the company network, but for some
> reason, the Snort just shows that IP: 0.0.0.0:68 UDP as shown below in the
> log.
> The strange thing is that my IP range is 10.10.10.1 to 10.10.10.126 with
> mask 255.255.255.128 and still Snort is detecting this 0.0.0.0:68
>
>
>
>
> sending, alert log snort
>
> [**] [1:527:8] BAD-TRAFFIC same SRC/DST [**][Classification:
> Potentially Bad Traffic] [Priority: 2] 02/19-12:31:57.762519
> 0.0.0.0:68 -> 255.255.255.255:67
> UDP TTL:64 TOS:0x0 ID:30729 IpLen:20 DgmLen:328Len: 300


-- 
Carlos Rodríguez

C Developer
crodriguezh.ext () redborder com

+34 609477932 <+34609477932> | +34 955 601 160 <+34955601160>
<https://twitter.com/redborder> <https://www.linkedin.com/company/redborder>
<https://github.com/redBorder>
<https://plus.google.com/u/0/b/115823750653188478256/+RedborderNet_net>
SAN FRANCISCO - SEVILLE - MADRID

This email, including attachments, is intended exclusively for its
addressee. It contains information that is CONFIDENTIAL whose disclosure is
prohibited by law and may be covered by legal privilege. If you have
received this email in error, please notify the sender and delete it from
your system.

Este correo electrónico, incluidos sus anexos, se dirige exclusivamente a
su destinatario. Contiene información CONFIDENCIAL cuya divulgación está
prohibida por la ley o puede estar sometida a secreto profesional. Si ha
recibido este mensaje por error, le rogamos nos lo comunique inmediatamente
y proceda a su destrucción.

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!