[Snort-users] Re: portscans from 255.255.255.255?

["Sam Evans" <sam@xxxxxxxxxxxxx>]

FWIW, we too have been seeing an increase in scans like this. 
twig les writes: 
> Hey all, I have seriously debated whether I should
> send this since it may or may not be off-topic; it's
> just too bizarre to tell.  My border routers are
> sysloging this: 
> bdr-acl-in denied tcp 255.255.255.255(80) ->
> 1.1.156.194(8118) 
> The acl is named correctly - these hits are coming
> from the outside.  They hit random IPs in our range
> like NMAP, and they always target a high port coming
> from 80.  I would assume they are from a LAN upstream
> since only routers doing stupid things forward
> broadcasts.  The implications of this coming from our
> upstream provider are quite large since we peer via
> dual /30s. 
> It isn't crucial to my security (we don't let those
> shenanigans in the border), but does snort see this as
> bad traffic?  I did a quick "grep 255.255.255.255 *"
> in the snortrules dir and only came up with a couple
> of snmp rules.  I would like to know if I should write
> a rule for this since I only caught this by accident
> this time. 
>
> =====
> -----------------------------------------------------------
> Know yourself and know your enemy and you will never fear defeat.         
> ----------------------------------------------------------- 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com 
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users