[Dshield] Snort entry I do not understand, what is PROTO255

Johannes B. Ullrich jullrich at euclidian.com
Thu Jun 30 15:00:23 GMT 2005


> Have an internal machine, behind an NS50 firewall ingress and egress
> filtering dynamic NAT, no direct internet access.  It is a windows 2000
> machine running snort on a switched network.  Most snort entries very boring
> and predictable.  But not this one:
> 
> [**] [122:1:0] (portscan) TCP Portscan [**]
> 
> 06/28-22:59:08.756282 4D:41:43:44:41:44 -> 4D:41:43:44:41:44 type:0x800
> len:0xB0
> 
> 18.7.14.127 -> XXX.XXX.XXX.XXX PROTO255 TTL:0 TOS:0x0 ID:19548 IpLen:20
> DgmLen:162

This looks like a protocol scan (not a port scan), or may be an OS
fingerprinting attempt. Protocol 255 is not used AFAIK. Based on my
protocol file, it is defined as 'RAW IP Interface'.

Common protocols are:
1  - ICMP (e.g. 'ping')
6  - TCP
17 - UDP

somewhat common:
2     - IGMP (used for multicasting)
50/51 - ipsec
41    - ipv6 tunnel

if you are doing some routing, you may see respective routing protocols
as well. But the protocols listed above should pretty much cover you.

One issue from a firewall perspective: most firewalls focus on
tcp/udp/icmp. Make sure you block un-used protocols as well. In
particular ipv6 can be used to setup a tunnel into your network and it
may bypass your firewall if not blocked. Some of the IRC bots are ipv6
capable.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050630/7b35656b/signature-0001.bin


More information about the list mailing list