RE: what is this?

From: Fernando Cardoso (fcardoso_at_trusted.pt)
Date: 08/19/03

Next message: Juri Haberland: "Re: document_all.pif"

Previous message: Alon Tirosh: "RE: document_all.pif"
In reply to: Kostas K: "what is this?"
Next in thread: DeGennaro, Gregory: "RE: what is this?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <incidents@securityfocus.com>
Date: Tue, 19 Aug 2003 18:19:51 +0100

Sounds to a IGMP (IP protocol 2) multicast announce.

Fernando

>
>
> Hi list,
>
> I captured activity with snort and i can't think of what is it? Does
> anybody know.
>
> 08/19-00:42:39.063639 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
> len:0x2A
> 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:44416 IpLen:20
> DgmLen:28
> 11 64 EE 9B 00 00 00 00 .d......
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 08/19-00:43:39.185528 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
> len:0x2A
> 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:48569 IpLen:20
> DgmLen:28
> 11 64 EE 9B 00 00 00 00 .d......
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 08/19-00:44:39.301674 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
> len:0x2A
> 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:51771 IpLen:20
> DgmLen:28
> 11 64 EE 9B 00 00 00 00 .d......
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 08/19-00:45:39.423600 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
> len:0x2A
> 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:55167 IpLen:20
> DgmLen:28
> 11 64 EE 9B 00 00 00 00 .d......
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 08/19-00:46:39.556458 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
> len:0x2A
> 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:58562 IpLen:20
> DgmLen:28
> 11 64 EE 9B 00 00 00 00 .d......
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 08/19-00:47:39.672239 20:53:52:43:0:0 -> 44:45:53:54:0:0 type:0x800
> len:0x2A
> 194.30.220.216 -> 224.0.0.1 PROTO002 TTL:1 TOS:0xC0 ID:62338 IpLen:20
> DgmLen:28
> 11 64 EE 9B 00 00 00 00
>
>
>
> By the way is there any link that explains well snort's output?
>
>
> Thanx in advance
>
> ------------------------------------------------------------------
> ---------
> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Ensure Reliable Performance of Mission Critical Applications
> - Precisely Define and Implement Network Security and
> Performance Policies
> **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> Visit us at:
> http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
> ------------------------------------------------------------------
> ----------
>
>

Trusted Systems - http://www.trusted.pt
Praça de Alvalade, n.º 6 - 6.º piso
1700-036 Lisboa, PORTUGAL
Tel: +351 217994200
Fax: +351 217994242

--
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
 - Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: 
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------

Next message: Juri Haberland: "Re: document_all.pif"

Previous message: Alon Tirosh: "RE: document_all.pif"
In reply to: Kostas K: "what is this?"
Next in thread: DeGennaro, Gregory: "RE: what is this?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Increasing ICMP Echo Requests
... In the company I'm working for, we also have noticed a increasing number of ICPM request. ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
(Incidents)
RE: DCOM worm with get.bat bot.rar
... DCOM worm with get.bat bot.rar ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
(Incidents)
Re: Increasing ICMP Echo Requests
... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ... > - Precisely Define and Implement Network Security and Performance Policies ...
(Incidents)
Re: Increasing ICMP Echo Requests
... We are looking into filtering ICMP echo ... >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
(Incidents)