Re: what is this?

From: Jay DeSotel (jay_at_interl.net)
Date: 08/19/03

  • Next message: wirepair: "lots of sobig virus emails." 
    Date: Tue, 19 Aug 2003 11:43:57 -0500 (CDT)
To: Kostas K <acezerocool@yahoo.com>

    Looks like multicast traffic to me. There are a few static addresses for
    multicast stuff:

    "all systems on this subnet" 224.0.0.1
    "all routers on this subnet" 224.0.0.2
    "all DVMRP routers" 224.0.0.4
    "all OSPF routers" 224.0.0.5
    "all OSPF designated routers" 224.0.0.6
    "all RIP2 routers" 224.0.0.9
    "all PIM routers" 224.0.0.13
    "all CBT routers" 224.0.0.15 

    --
AA7C EF9F 451F E4AF EB1E 7212 BA37 2882 E813 5B02
--
Jay DeSotel
Systems Administrator
InterLink L.C.
<jay@interl.net>
On 19 Aug 2003, Kostas K wrote:
>
>
> Hi list,
>
> I captured activity with snort and i can't think of what is it? Does
> anybody know.
>
> 08/19-00:42:39.063639 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
> len:0x2A
> 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:44416 IpLen:20
> DgmLen:28
> 11 64 EE 9B 00 00 00 00                          .d......
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 08/19-00:43:39.185528 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
> len:0x2A
> 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:48569 IpLen:20
> DgmLen:28
> 11 64 EE 9B 00 00 00 00                          .d......
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 08/19-00:44:39.301674 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
> len:0x2A
> 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:51771 IpLen:20
> DgmLen:28
> 11 64 EE 9B 00 00 00 00                          .d......
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 08/19-00:45:39.423600 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
> len:0x2A
> 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:55167 IpLen:20
> DgmLen:28
> 11 64 EE 9B 00 00 00 00                          .d......
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 08/19-00:46:39.556458 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
> len:0x2A
> 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:58562 IpLen:20
> DgmLen:28
> 11 64 EE 9B 00 00 00 00                          .d......
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 08/19-00:47:39.672239 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
> len:0x2A
> 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:62338 IpLen:20
> DgmLen:28
> 11 64 EE 9B 00 00 00 00
>
>
>
> By the way is there any link that explains well snort's output?
>
>
> Thanx in advance
>
> ---------------------------------------------------------------------------
> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Automatically Control P2P, IM and Spam Traffic
>  - Ensure Reliable Performance of Mission Critical Applications
>  - Precisely Define and Implement Network Security and Performance Policies
> **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> Visit us at:
> http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
> ----------------------------------------------------------------------------
>
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
 - Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: 
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------
  • Next message: wirepair: "lots of sobig virus emails."

    Relevant Pages

    • Re: Increasing ICMP Echo Requests
      ... In the company I'm working for, we also have noticed a increasing number of ICPM request. ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: what is this?
      ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ... A presente mensagem pode conter informação considerada confidencial. ...
      (Incidents)
    • RE: DCOM worm with get.bat bot.rar
      ... DCOM worm with get.bat bot.rar ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Re: Increasing ICMP Echo Requests
      ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ... > - Precisely Define and Implement Network Security and Performance Policies ...
      (Incidents)
    • Re: Increasing ICMP Echo Requests
      ... We are looking into filtering ICMP echo ... >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)