[Dshield] Snort entry I do not understand, what is PROTO255

David McGaughey mcgoy at plumbearcat.com
Thu Jun 30 16:39:18 GMT 2005


Thank you to everyone who replied to this post!  Here's the packet:

[**] (portscan) TCP Portscan [**]
06/28-22:59:08.756282 4D:41:43:44:41:44 -> 4D:41:43:44:41:44 type:0x800
len:0xB0
18.7.14.127 -> xx.xx.x.xxx PROTO255 TTL:0 TOS:0x0 ID:19548 IpLen:20
DgmLen:162
50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20  Priority Count: 
31 30 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F  10.Connection Co
75 6E 74 3A 20 31 33 0A 49 50 20 43 6F 75 6E 74  unt: 13.IP Count
3A 20 34 0A 53 63 61 6E 6E 65 72 20 49 50 20 52  : 4.Scanner IP R
61 6E 67 65 3A 20 ss ss ss 2E ss ss ss 2E ss ss  ange: sss.sss.ss
ss 2E ss 3A xx xx 2E xx 2E xx 2E xx xx xx 0A 50  s.s:XX.x.x.xxx.P
6F 72 74 2F 50 72 6F 74 6F 20 43 6F 75 6E 74 3A  ort/Proto Count:
20 36 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 52 61   6.Port/Proto Ra
6E 67 65 3A 20 31 31 33 3A 33 37 30 36 0A        nge: 113:3706.

Sss.sss.sss.s is a Novell 6.5 Enterprise server installed about 2 weeks ago
from the CDs downloaded from Novell's web site.  Our MCNE looked the server
over and can't find anything he feels is out of place.  Could be just part
of the new install?

[...]
IP range, and port range.  The characteristics of the packet are:

Src/Dst MAC Addr == MACDAD
IP Protocol == 255
IP TTL == 0


Hope this helps,
Mike

 

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list