External IP blocked on my LAN?
-
I have a Snort block originating from an external IP on my LAN interface:
2016-12-19 23:33:04 2 169.254.56.69 169.254.255.255 122:23 Attempted Information Leak (portscan) UDP Filtered PortsweepDo you think this is an actual intrusion or just some app on a local machine? Why does Snort say it originates from the IP 169.254.56.69 which tcpiputils.com says is located in Washington DC.
Thanks in advance..
-
All 169.254.x.x addresses are link-local addresses from within your own network.
https://en.wikipedia.org/wiki/Link-local_addressTo find out which machine is using the address, capture the traffic from the link local address using 'Diagnostics, Packet Capture' then open the captured trace in Wireshark so that you can read the output and find the corresponding MAC address for the link-local machine.
Using a host on the same segment as the link-local culprit, use arp -a | grep MACaddressPart
Where: MACaddressPart is the whole MAC address or part of itE.g. For a MAC address ending in 1f:86 use
arp -a | grep 1f:86 -
I forgot that you can also use pfSense packet capture with 'Full' detail to get the MAC address but I'm in a habit now of using Wireshark for the colour highlighting.
-
Thanks for the help..