First time contributor and not too well informed but hoping to add to the
understanding of the issue at hand.
I have been following this thread and its predecessor for the past few
days. Having some time available, I elected to check one of my snort alert
logs for occurances of the address 255.255.255.255. I found one. Then I
checked prvoious recent logs and found not others. Here is the one and
only one which snort recorded:
The ip address of our host has been replaced with 'a_KWeb_host_ip'.
The host is a Win NT 4 server sp6a (if it matters?). Since I have found
only one, I am assuming that our host ip was spoofed and because I have
snort logging everything it can, I happened to record this contribution.
It means very little to me, but I hope it may help your understanding.
Regards,
Geert
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
First time contributor and not too well informed but hoping to add to the
understanding of the issue at hand.
I have been following this thread and its predecessor for the past few
days. Having some time available, I elected to check one of my snort alert
logs for occurances of the address 255.255.255.255. I found one. Then I
checked prvoious recent logs and found not others. Here is the one and
only one which snort recorded:
[**] ICMP Destination Unreachable (Undefined Code!) [**]
01/30-06:44:51.542691 211.172.208.11 -> a_KWeb_host_ip
ICMP TTL:39 TOS:0x0 ID:10599 IpLen:20 DgmLen:76
Type:3 Code:2 DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
a_KWeb_host_ip:29085 -> 255.255.255.255:80
TCP TTL:129 TOS:0x0 ID:13954 IpLen:20 DgmLen:40
******** Seq: 0x5AA00000 Ack: 0xD3ED Win: 0xFFFF TcpLen: 52
** END OF DUMP
The ip address of our host has been replaced with 'a_KWeb_host_ip'.
The host is a Win NT 4 server sp6a (if it matters?). Since I have found
only one, I am assuming that our host ip was spoofed and because I have
snort logging everything it can, I happened to record this contribution.
It means very little to me, but I hope it may help your understanding.
Regards,
Geert
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]