[Dshield] Snort entry I do not understand, what is PROTO255

David McGaughey mcgoy at plumbearcat.com
Thu Jun 30 13:14:05 GMT 2005



Have an internal machine, behind an NS50 firewall ingress and egress
filtering dynamic NAT, no direct internet access.  It is a windows 2000
machine running snort on a switched network.  Most snort entries very boring
and predictable.  But not this one:



[**] [122:1:0] (portscan) TCP Portscan [**]

06/28-22:59:08.756282 4D:41:43:44:41:44 -> 4D:41:43:44:41:44 type:0x800
len:0xB0 -> XXX.XXX.XXX.XXX PROTO255 TTL:0 TOS:0x0 ID:19548 IpLen:20


Please note XXX.XXX.XXX.XXX - I took IP of internal machine out.  What is



David McGaughey <http://mcgoy.plumbearcat.com/> 

Lubbock, Texas

mcgoy at plumbearcat.com




More information about the list mailing list