OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Snort-users] Strange portscan traffic with dest of 169.254.x.x

From: Joel Esler (joel.eslersourcefire.com)
Date: Mon Feb 25 2008 - 17:02:04 CST


CunningPike had it right. When your machines can't find an IP (via
DHCP, or whatever), they default to the 169.254.x.x range.

Since your machines were contacting ports 139:445, I am willing to bet
that it's a Windows machine plugged into the network somewhere, (on
the same broadcast domain as your Snort sensor), and can't DHCP itself
for whatever reason.

My suggest is that you use Snort in sniffer mode like

#snort -vde 'net 169.254.x.x' look at the mac addresses. See if that
helps you out any.

Assigning these IPs should be the default behavior of both Windows and
OSX.

Joel

On Feb 25, 2008, at 5:47 PM, dhottingerharrisonburg.k12.va.us wrote:

> Quoting Aaron Giuoco <agiuocoyahoo.com>:
>
>> True. But it is unusual to see so much traffic from 169.254 leaving
>> a computer that already has a network connection.
>>
>> I haven't been able to confirm whether the packets are related to
>> ActiveSync like Paul mentioned. Thanks for the replies. I'll try
>> to confirm whether or not ActiveSync is being used on these PCs or
>> not and post back.
>>
>> AG
>>
> I missed part of this post. However, I see lots of 169 traffic from
> my apple 10.4, 10.5 computers. I think they use it for bonjour or
> entourage, which is a way to find printers, and other network
> resources.
>
>
> --
> Dwayne Hottinger
> Network Administrator
> Harrisonburg City Public Schools
>
> "Everything should be made as simple as possible, but not simpler."
> -- Albert Einstein
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

--
Joel Esler  joel.eslersourcefire.com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users