Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Strange portscan traffic with dest of 169.254.x.x

from [Aaron Giuoco] Network Security [Permanent Link]
Subject: Re: [Snort-users] Strange portscan traffic with dest of 169.254.x.x
Date: Tue, 26 Feb 2008 06:08:37 -0800 (PST) 
Thanks for all of the comments.  I'm thinking about just suppressing those 
alerts to the 169.254.0.0/16 range.  The other strange thing about this that, 
something I failed to mention in my original post, is the volume of these 
alerts.  It's not consistent across all of the machines.  Usually, there will 
be just one or two boxes out there that generate 300-400 of these types of 
alerts over a 24-hour period.  The next closest machine is usually generating 
between 20 and 50 alerts.  Then everything returns to normal.

For that reason, I think it might be something installed on those specific 
computers that is generating all of that traffic.  The traffic is probably 
harmless, but now I'm curious.  So I'm off to chase the wild goose!
:-)

AG

----- Original Message ----
From: Joel Esler <joel.esler@sourcefire.com>
To: dhottinger@harrisonburg.k12.va.us
Cc: snort-users@lists.sourceforge.net
Sent: Monday, February 25, 2008 5:02:04 PM
Subject: Re: [Snort-users] Strange portscan traffic with dest of 169.254.x.x

CunningPike had it right.  When your machines can't find an IP (via  
DHCP, or whatever), they default to the 169.254.x.x range.

Since your machines were contacting ports 139:445, I am willing to bet  
that it's a Windows machine plugged into the network somewhere, (on  
the same broadcast domain as your Snort sensor), and can't DHCP itself  
for whatever reason.

My suggest is that you use Snort in sniffer mode like

#snort -vde 'net 169.254.x.x' look at the mac addresses.  See if that  
helps you out any.

Assigning these IPs should be the default behavior of both Windows and  
OSX.

Joel

On Feb 25, 2008, at 5:47 PM, dhottinger@harrisonburg.k12.va.us wrote:


Quoting Aaron Giuoco <agiuoco@yahoo.com>:


True.  But it is unusual to see so much traffic from 169.254 leaving
a computer that already has a network connection.

I haven't been able to confirm whether the packets are related to
ActiveSync like Paul mentioned.  Thanks for the replies.  I'll try
to confirm whether or not ActiveSync is being used on these PCs or
not and post back.

AG


I missed part of this post.  However, I see lots of 169 traffic from
my apple 10.4, 10.5 computers.  I think they use it for bonjour or
entourage, which is a way to find printers, and other network  
resources.


-- 
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

"Everything should be made as simple as possible, but not simpler."
-- Albert Einstein


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




--
Joel Esler ï joel.esler@sourcefire.com





-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




      
____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  
http://tools.search.yahoo.com/newsearch/category.php?category=shopping

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] SQL to purge alerts over 1 month old?, Terry Burton
Next by Date:  [Snort-users] Problem with flexresp2 (reset_both) and snort 2.8.0.2, Hermano Pereira
Previous by Thread:  Re: [Snort-users] Strange portscan traffic with dest of 169.254.x.x, Joel Esler
Next by Thread:  [Snort-users] Problem with flexresp2 (reset_both) and snort 2.8.0.2, Hermano Pereira
Indexes:  [Date] [Thread] [Top] [All Lists]