RE: what is this?

From: Fernando Cardoso (fcardoso_at_trusted.pt)
Date: 08/19/03

  • Next message: Juri Haberland: "Re: document_all.pif"
    To: <incidents@securityfocus.com>
    Date: Tue, 19 Aug 2003 18:19:51 +0100
    
    

    Sounds to a IGMP (IP protocol 2) multicast announce.

    Fernando

    >
    >
    > Hi list,
    >
    > I captured activity with snort and i can't think of what is it? Does
    > anybody know.
    >
    > 08/19-00:42:39.063639 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
    > len:0x2A
    > 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:44416 IpLen:20
    > DgmLen:28
    > 11 64 EE 9B 00 00 00 00 .d......
    >
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    >
    > 08/19-00:43:39.185528 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
    > len:0x2A
    > 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:48569 IpLen:20
    > DgmLen:28
    > 11 64 EE 9B 00 00 00 00 .d......
    >
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    >
    > 08/19-00:44:39.301674 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
    > len:0x2A
    > 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:51771 IpLen:20
    > DgmLen:28
    > 11 64 EE 9B 00 00 00 00 .d......
    >
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    >
    > 08/19-00:45:39.423600 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
    > len:0x2A
    > 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:55167 IpLen:20
    > DgmLen:28
    > 11 64 EE 9B 00 00 00 00 .d......
    >
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    >
    > 08/19-00:46:39.556458 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
    > len:0x2A
    > 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:58562 IpLen:20
    > DgmLen:28
    > 11 64 EE 9B 00 00 00 00 .d......
    >
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    >
    > 08/19-00:47:39.672239 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
    > len:0x2A
    > 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:62338 IpLen:20
    > DgmLen:28
    > 11 64 EE 9B 00 00 00 00
    >
    >
    >
    > By the way is there any link that explains well snort's output?
    >
    >
    > Thanx in advance
    >
    > ------------------------------------------------------------------
    > ---------
    > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Ensure Reliable Performance of Mission Critical Applications
    > - Precisely Define and Implement Network Security and
    > Performance Policies
    > **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    > Visit us at:
    > http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    > ------------------------------------------------------------------
    > ----------
    >
    >

    Trusted Systems - http://www.trusted.pt
    Praça de Alvalade, n.º 6 - 6.º piso
    1700-036 Lisboa, PORTUGAL
    Tel: +351 217994200
    Fax: +351 217994242

    --
    A presente mensagem pode conter informação considerada confidencial.
    Se o receptor desta mensagem não for o destinatário indicado, fica
    expressamente proibido de copiar ou endereçar a mensagem a terceiros.
    Em tal situação, o receptor deverá destruir a presente mensagem e por
    gentileza informar o emissor de tal facto.
    Privileged or confidential information may be contained in this
    message. If you are not the addressee indicated in this message, you
    may not copy or deliver this message to anyone. In such case, you
    should destroy this message and kindly notify the sender by reply
    email.
    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at: 
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------
    

  • Next message: Juri Haberland: "Re: document_all.pif"

    Relevant Pages

    • Re: Increasing ICMP Echo Requests
      ... In the company I'm working for, we also have noticed a increasing number of ICPM request. ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: DCOM worm with get.bat bot.rar
      ... DCOM worm with get.bat bot.rar ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Re: Increasing ICMP Echo Requests
      ... We are looking into filtering ICMP echo ... >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Re: Increasing ICMP Echo Requests
      ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ... > - Precisely Define and Implement Network Security and Performance Policies ...
      (Incidents)