Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: boringgit on February 29, 2004, 02:44:44 PM

Title: Snort & Guardian
Post by: boringgit on February 29, 2004, 02:44:44 PM

Apologies if this is a dumb question - My first real play with IDS.

Yesterday I got Snort and Guardian up and running thanks to the excelent howto by Ari Novikoff.

Snort is merrilly going through, looking at all of the activity and being suitably paraniod. Given that pretty much all of the alerts are coming from my network and going out (and most are just routine browsing), I am pleased to see that Guardian is happilly ignoring them.

One of the entries in my Guardian log however comes from an address outside my network, and is going to an address outside my network

Quote

Odd.. source = 169.254.198.xxx, dest = 239.255.255.xxx - No action done.

Any ideas what this could be, and if I should be concerned, how can I block it....

Thanks in advance![/quote]

Title: Snort & Guardian
Post by: Dave on March 01, 2004, 08:18:50 AM

Not that I can help with this one but to let you know that I have have asked this very question on the old site, without an answer :)

I would receive countless entries everyday in my guardian log file.

No I never did find out the cause, but on the positive side my ISP advised that they were unable to detect any unussual activity.

So I will also be intrested in the answer to this one.

Regards

Dave

Title: Snort & Guardian
Post by: Darin on March 19, 2004, 06:35:37 AM

Are you running some type of DDNS update software within your LAN?  This will generate either PING or HTTP lookups requests to verify your current IP and update your DDNS supplier.  I have had a similar issue and have been using DirectUpdate with Zoneedit.

Title: Snort & Guardian
Post by: PeterG on March 19, 2004, 02:37:35 PM

Just reading up on firewalls at the moment, so this caught my attention. If both the source and detination are off your network why did your snort/guardian combo pick it up?

PeterG.

Title: Snort & Guardian
Post by: boringgit on March 20, 2004, 04:39:54 PM

Thanks for the replys!

It has been pointed out to me that the 169 address is the kind of address which a device will give itself when it cannot find a DHCP server, Although I am not sure what, it seems likely that something has been plugged in and therefore caused these errors.

I am running Dyndns, but only on the server, could this be the culprit?

Thankfully alerts seem to be a little bit more uniform at present, handy to keep my hair from turning grey!