[Dshield] Snort entry I do not understand, what is PROTO255

Mark Tombaugh mtombaugh at alliedcc.com
Thu Jun 30 15:21:20 GMT 2005


On Thu, 2005-06-30 at 08:14 -0500, David McGaughey wrote:
> 06/28-22:59:08.756282 4D:41:43:44:41:44 -> 4D:41:43:44:41:44 type:0x800
> len:0xB0
> 
> 18.7.14.127 -> XXX.XXX.XXX.XXX PROTO255 TTL:0 TOS:0x0 ID:19548 IpLen:20
> DgmLen:162

> Please note XXX.XXX.XXX.XXX - I took IP of internal machine out.  What is
> PROTO255?

PROTO255 is a packet crafted by snort which contains the payload of the
actual portscan. The MAC, notice its the same, is the address used for
the PROTO255 packet. The alert should contain this packet. Check its
headers for the source & destination IPs that triggered the alert.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mark Tombaugh mtombaugh at alliedcc.com Allied Computer Corp
Research Triangle Park www.alliedcc.com tel:(919)598-8900
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




More information about the list mailing list