True. But it is unusual to see so much traffic from 169.254 leaving a computer
that already has a network connection.
I haven't been able to confirm whether the packets are related to ActiveSync
like Paul mentioned. Thanks for the replies. I'll try to confirm whether or
not ActiveSync is being used on these PCs or not and post back.
AG
----- Original Message ----
From: CunningPike <cunningpike@gmail.com>
To: snort-users@lists.sourceforge.net
Sent: Monday, February 25, 2008 3:33:02 PM
Subject: Re: [Snort-users] Strange portscan traffic with dest of 169.254.x.x
Directly from RFC3330:
"169.254.0.0/16 - This is the "link local" block. It is allocated for
communication between hosts on a single link. Hosts obtain these
addresses by auto-configuration, such as when a DHCP server may not
be found."
Why would a netblock that's not part of your internal network NOT get
routed to your external firewall/router? Whether your router actually
passes that traffic is another matter.
CP
Aaron Giuoco wrote:
For the past couple of days, I have been seeing some very strange portscan
traffic coming from internal addresses and going to the internet. The Snort
box I have been getting these alerts on is sitting just behind our Internet
firewall. I have attached a screenshot of the alert.
It's odd for a couple reasons. First, why is 169.254 traffic even getting
routed to our external firewall. This is probably something I need to
discuss with our network admin. That just seems weird to me. Second, if I
am reading the alert correctly, it looks like the computer is scanning itself
for NetBIOS and SMB ports. I was just wondering if anyone else has seen
anything like this.
AG
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
------------------------------------------------------------------------
------------------------------------------------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
