Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Strange portscan traffic with dest of 169.254.x.x

from [Joel Esler] Network Security [Permanent Link]
Subject: Re: [Snort-users] Strange portscan traffic with dest of 169.254.x.x
Date: Mon, 25 Feb 2008 18:02:04 -0500 
CunningPike had it right.  When your machines can't find an IP (via  
DHCP, or whatever), they default to the 169.254.x.x range.

Since your machines were contacting ports 139:445, I am willing to bet  
that it's a Windows machine plugged into the network somewhere, (on  
the same broadcast domain as your Snort sensor), and can't DHCP itself  
for whatever reason.

My suggest is that you use Snort in sniffer mode like

#snort -vde 'net 169.254.x.x' look at the mac addresses.  See if that  
helps you out any.

Assigning these IPs should be the default behavior of both Windows and  
OSX.

Joel

On Feb 25, 2008, at 5:47 PM, dhottinger@harrisonburg.k12.va.us wrote:


Quoting Aaron Giuoco <agiuoco@yahoo.com>:


True.  But it is unusual to see so much traffic from 169.254 leaving
a computer that already has a network connection.

I haven't been able to confirm whether the packets are related to
ActiveSync like Paul mentioned.  Thanks for the replies.  I'll try
to confirm whether or not ActiveSync is being used on these PCs or
not and post back.

AG


I missed part of this post.  However, I see lots of 169 traffic from
my apple 10.4, 10.5 computers.  I think they use it for bonjour or
entourage, which is a way to find printers, and other network  
resources.


-- 
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

"Everything should be made as simple as possible, but not simpler."
-- Albert Einstein


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




--
Joel Esler ï joel.esler@sourcefire.com





-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Strange portscan traffic with dest of 169.254.x.x, dhottinger
Next by Date:  Re: [Snort-users] SQL to purge alerts over 1 month old?, Terry Burton
Previous by Thread:  Re: [Snort-users] Strange portscan traffic with dest of 169.254.x.x, dhottinger
Next by Thread:  Re: [Snort-users] Strange portscan traffic with dest of 169.254.x.x, Aaron Giuoco
Indexes:  [Date] [Thread] [Top] [All Lists]