[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Alerts where source and destination addresses equal 0.0.0.0
From: waldo kitty <wkitty42 () windstream ! net>
Date: 2014-01-24 16:06:13
Message-ID: 52E28F75.8020606 () windstream ! net
[Download RAW message or body]
On 1/24/2014 7:02 AM, James Lay wrote:
> You can add them to your threshold.conf file:
>
> suppress gen_id 1, sig_id 2002023, track by_src, ip 0.0.0.0
>
> You'd have to add the above for eash sig. But seeing as those are IRC ports,
> I'd suggest something nefarious is going on.
agreed... especially given the following...
NetRange: 0.0.0.0 - 0.255.255.255
CIDR: 0.0.0.0/8
OriginAS:
NetName: SPECIAL-IPV4-LOCAL-ID-IANA-RESERVED
NetHandle: NET-0-0-0-0-1
Parent:
NetType: IANA Special Use
Comment: The address 0.0.0.0 may only be used as the address of an
outgoing packet when a computer is learning which IP address
it should use. It is never used as a destination address.
Addresses starting with "0." are sometimes used for broadcasts
to directly connected devices.
Comment:
Comment: If you see addresses starting with a "0." in logs they are
probably in use on your network, which might be as small as a
computer connected to a home gateway.
Comment:
Comment: This block was assigned by the IETF, the organization that
develops Internet protocols, in the Standard document, RFC
1122, and is further documented in the Best Current Practice
document RFC 6890. IANA is listed as the registrant to make it
clear that this network is not assigned to any single
organization.
Comment:
Comment: These documents can be found at:
Comment: http://datatracker.ietf.org/doc/rfc1122
Comment: http://datatracker.ietf.org/doc/rfc6890
RegDate:
Updated: 2013-08-30
Ref: http://whois.arin.net/rest/net/NET-0-0-0-0-1
--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic