Snort on LAN, but have external IP alerts?
-
If I have Snort active only on the LAN how do I have alerts originating from an external IP address with a destination to an external IP address?
06/24/16 05:59:47 2 Attempted Information Leak 169.254.11.216 169.254.255.255 122:23 (portscan) UDP Filtered Portsweep 06/24/16 05:58:06 2 Attempted Information Leak 169.254.11.216 224.0.0.252 122:23 (portscan) UDP Filtered Portsweep -
If I have Snort active only on the LAN how do I have alerts originating from an external IP address with a destination to an external IP address?
06/24/16 05:59:47 2 Attempted Information Leak 169.254.11.216 169.254.255.255 122:23 (portscan) UDP Filtered Portsweep 06/24/16 05:58:06 2 Attempted Information Leak 169.254.11.216 224.0.0.252 122:23 (portscan) UDP Filtered PortsweepThose are not "external" addresses. The 169.254.x.x range is the default auto-IP address space used by Microsoft Windows when a client is configured for DHCP and no DHCP server can be found. So that 169.254.11.216 address is some device on your LAN that has an auto-config IP address. The 224.0.0.252 address is the multicast address for Link-local Multicast Name Resolution (LLMNR). Again, this is on your LAN is coming from a Windows client there.
Bill
-
Thanks that makes sense. Now to figure out which one it is..
-
How to find the link-local machine…
https://forum.pfsense.org/index.php?topic=122888.msg688720#msg688720
