Greetings: First time contributor and not too well informed but hoping to add to the understanding of the issue at hand. I have been following this thread and its predecessor for the past few days. Having some time available, I elected to check one of my snort alert logs for occurances of the address 255.255.255.255. I found one. Then I checked prvoious recent logs and found not others. Here is the one and only one which snort recorded: [**] ICMP Destination Unreachable (Undefined Code!) [**] 01/30-06:44:51.542691 211.172.208.11 -> a_KWeb_host_ip ICMP TTL:39 TOS:0x0 ID:10599 IpLen:20 DgmLen:76 Type:3 Code:2 DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE ** ORIGINAL DATAGRAM DUMP: a_KWeb_host_ip:29085 -> 255.255.255.255:80 TCP TTL:129 TOS:0x0 ID:13954 IpLen:20 DgmLen:40 ******** Seq: 0x5AA00000 Ack: 0xD3ED Win: 0xFFFF TcpLen: 52 ** END OF DUMP The ip address of our host has been replaced with 'a_KWeb_host_ip'. The host is a Win NT 4 server sp6a (if it matters?). Since I have found only one, I am assuming that our host ip was spoofed and because I have snort logging everything it can, I happened to record this contribution. It means very little to me, but I hope it may help your understanding. Regards, Geert ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 03 2003 - 07:55:37 PST