Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: Snort & Guardian
« previous next »
Pages: [1]   Go Down

Snort & Guardian

  • 4 Replies
  • 1528 Views

boringgit

Snort & Guardian
« on: February 29, 2004, 02:44:44 PM »
Apologies if this is a dumb question - My first real play with IDS.

Yesterday I got Snort and Guardian up and running thanks to the excelent howto by Ari Novikoff.

Snort is merrilly going through, looking at all of the activity and being suitably paraniod. Given that pretty much all of the alerts are coming from my network and going out (and most are just routine browsing), I am pleased to see that Guardian is happilly ignoring them.

One of the entries in my Guardian log however comes from an address outside my network, and is going to an address outside my network
Quote

Odd.. source = 169.254.198.xxx, dest = 239.255.255.xxx - No action done.


Any ideas what this could be, and if I should be concerned, how can I block it....

Thanks in advance![/quote]
Logged

Dave

Snort & Guardian
« Reply #1 on: March 01, 2004, 08:18:50 AM »
Not that I can help with this one but to let you know that I have have asked this very question on the old site, without an answer :)

I would receive countless entries everyday in my guardian log file.

No I never did find out the cause, but on the positive side my ISP advised that they were unable to detect any unussual activity.

So I will also be intrested in the answer to this one.

Regards

Dave
Logged

Darin

Snort & Guardian
« Reply #2 on: March 19, 2004, 06:35:37 AM »
Are you running some type of DDNS update software within your LAN?  This will generate either PING or HTTP lookups requests to verify your current IP and update your DDNS supplier.  I have had a similar issue and have been using DirectUpdate with Zoneedit.
Logged

PeterG

Snort & Guardian
« Reply #3 on: March 19, 2004, 02:37:35 PM »
Just reading up on firewalls at the moment, so this caught my attention. If both the source and detination are off your network why did your snort/guardian combo pick it up?

PeterG.
Logged

boringgit

Snort & Guardian
« Reply #4 on: March 20, 2004, 04:39:54 PM »
Thanks for the replys!

It has been pointed out to me that the 169 address is the kind of address which a device will give itself when it cannot find a DHCP server, Although I am not sure what, it seems likely that something has been plugged in and therefore caused these errors.

I am running Dyndns, but only on the server, could this be the culprit?

Thankfully alerts seem to be a little bit more uniform at present, handy to keep my hair from turning grey!
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: Snort & Guardian