[Snort-users] Scan Nmap, Multicast Address
This is a discussion on [Snort-users] Scan Nmap, Multicast Address within the Snort forums, part of the System Security and Security Related category; This message is in MIME format. Since your mail reader does not understand this format, some or all of this ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-05-2004
|
|||
|
|||
[Snort-users] Scan Nmap, Multicast Address
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible. ------_=_NextPart_001_01C3EBCC.330DBD20 Content-Type: text/plain; charset="iso-8859-9" Hi, When I checked my ACID logs, I saw an alert like this; SCAN nmap TCP 230.242.34.196:48730 (Source IP) xxx.xxx.xxx.xxx:34972 (Local IP) I know that 230.242.34.196 is an multicast address. Is that true? The nslookup query is below > 230.242.34.196 Server: flag.ip4.int Address: 198.32.4.13 196.34.242.230.in-addr.arpa name = reserved-multicast-range-NOT-delegated.ex ample.com 230.in-addr.arpa nameserver = flag.ep.net 230.in-addr.arpa nameserver = dot.ep.net dot.ep.net internet address = 198.32.2.10 dot.ep.net AAAA IPv6 address = 2001:478:6:0:230:48ff:fe22:6a29 dot.ep.net AAAA IPv6 address = 3ffe:0:1:0:230:48ff:fe22:6a29 flag.ep.net internet address = 198.32.4.13 flag.ep.net AAAA IPv6 address = 3ffe:805:0:0:2d0:b7ff:fee8:c4d9 How does it happen? Is that spoofing? Is anybody have an idea? Thanks for reply... Ozguc. ------_=_NextPart_001_01C3EBCC.330DBD20 Content-Type: text/html; charset="iso-8859-9" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-9"> <META content="MSHTML 6.00.2800.1276" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=278303209-05022004><SPAN class=278303209-05022004><FONT size=2> <P><FONT face=Tahoma>Hi,<BR>When I checked my ACID logs, I saw an alert like this;<BR></FONT></FONT></SPAN><SPAN class=278303209-05022004><FONT face=Tahoma size=2><BR><STRONG>SCAN nmap TCP<SPAN class=278303209-05022004> 230.242.34.196<FONT size=2>:48730 <FONT color=#ff0000>(Source IP) <FONT color=#000000>xxx.xxx.xxx.xxx:34972<SPAN class=278303209-05022004> </SPAN></FONT><FONT color=#ff0000>(<SPAN class=278303209-05022004>Local IP</SPAN><SPAN class=278303209-05022004>)</SPAN></FONT></FONT></FONT></SPAN><BR></STRONG><BR>I know that 230.242.34.196 is an multicast address. Is that true? <BR></FONT><FONT><BR><FONT face=Tahoma size=2>The nslookup query is below</FONT></FONT></P></SPAN></SPAN><FONT size=2></FONT> <P><FONT face=Tahoma size=2><STRONG>> 230.242.34.196<BR>Server: flag.ip4.int<BR>Address: 198.32.4.13</STRONG></FONT></P></DIV> <DIV><FONT size=2><FONT face=Tahoma><STRONG>196.34.242.230.in-addr.arpa name = reserved-multicast-range-NOT-delegated.ex<BR>ample.com<BR>230.in-addr.arpa   ; nameserver = flag.ep.net<BR>230.in-addr.arpa   ; nameserver = dot.ep.net<BR>dot.ep.net &n bsp; internet address = 198.32.2.10<BR>dot.ep.net & nbsp; AAAA IPv6 address = 2001:478:6:0:230:48ff:fe22:6a29<BR>dot.ep.net  ; AAAA IPv6 address = 3ffe:0:1:0:230:48ff:fe22:6a29<BR>flag.ep.net internet address = 198.32.4.13<BR>flag.ep.net AAAA IPv6 address = 3ffe:805:0:0:2d0:b7ff:fee8:c4d9<BR><BR></STRONG><SPAN class=278303209-05022004>How does it happen? Is that spoofing? Is anybody have an <FONT size=2>idea? </FONT></SPAN></FONT></FONT></DIV> <DIV><FONT size=2><FONT face=Tahoma><SPAN class=278303209-05022004><FONT size=2>Thanks for reply...</FONT></SPAN></FONT></FONT></DIV> <DIV><FONT size=2><FONT face=Tahoma><SPAN class=278303209-05022004></SPAN></FONT></FONT> </DIV> <DIV><FONT size=2><FONT face=Tahoma><SPAN class=278303209-05022004>Ozguc.</SPAN></FONT></FONT></DIV></BODY></HTML> ------_=_NextPart_001_01C3EBCC.330DBD20-- ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
