Strange alerts

Discussion in 'LnS English Forum' started by sir_carew, Apr 5, 2005.

Thread Status:
Not open for further replies.
  1. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    I'm writing because from 2 days, I'm getting strange records in LNS.
    First of all, I use Phantom rules from many time. The strange thing is that I'm receiving these alerts from 2 days. The alerts are related to Phantom rules, not default rules, but as I said before, the problem starts some days ago and I'm using the Phantom rule set for many time.
    I noticed this strange issue when I installed the VMWare WorkStation. It program add new "virtual" networks interface. maybe it's the cause? But I noticed these alerts event if the vmware isn't executed and moreover these alerts appared 1.000 times!!!
    Details:
    +Anti-MAC Spoofing, Source: 00:E0:4C:8E:9D:A9, Destination: 00:02:A4:00:A0:E2, Internet >> PC, Source port: 3785, Destination port: 1052. 0000:00 00 00 00 E6 51 CE 01 ....æQÎ.
    0008:00 00 00 00 00 00 00 00 ........
    0010:00 00 00 00 00 00 00 00 ........
    0018:00 00 00 00 06 00 00 00 ........
    0020:D3 22 04 00 53 9F 30 00 Ó"..SŸ0.
    0028:00 00 00 00 00 00 00 00 ........

    Note: All alerts are the same. Now I've about 5.000 same alerts in about 6 hours.

    Other alert I never seen before: Protocol, PC >> Internet, Source Address: 00:50:56:C0:00:01, Destination Address: FF:FF:FF:FF:FF:FF, Source: Nul=0.0.0.0.
    Src port: bootpc=68, Dest port: bootps=67.
    0000:01 01 06 00 CA 0D AF 71 ....Ê.¯q
    0008:1C 00 80 00 00 00 00 00 .€.....
    0010:00 00 00 00 00 00 00 00 ........
    0018:00 00 00 00 00 50 56 C0 .....PVÀ
    0020:00 01 00 00 00 00 00 00 ........
    0028:00 00 00 00 00 00 00 00 ........
    0030:00 00 00 00 00 00 00 00 ........
    0038:00 00 00 00 00 00 00 00 ........
    0040:00 00 00 00 00 00 00 00 ........
    0048:00 00 00 00 00 00 00 00 ........
    0050:00 00 00 00 00 00 00 00 ........
    0058:00 00 00 00 00 00 00 00 ........
    0060:00 00 00 00 00 00 00 00 ........
    0068:00 00 00 00 00 00 00 00 ........
    0070:00 00 00 00 00 00 00 00 ........
    0078:00 00 00 00 00 00 00 00 ........
    0080:00 00 00 00 00 00 00 00 ........
    0088:00 00 00 00 00 00 00 00 ........
    0090:00 00 00 00 00 00 00 00 ........
    0098:00 00 00 00 00 00 00 00 ........
    00A0:00 00 00 00 00 00 00 00 ........
    00A8:00 00 00 00 00 00 00 00 ........
    00B0:00 00 00 00 00 00 00 00 ........
    00B8:00 00 00 00 00 00 00 00 ........
    00C0:00 00 00 00 00 00 00 00 ........
    00C8:00 00 00 00 00 00 00 00 ........
    00D0:00 00 00 00 00 00 00 00 ........
    00D8:00 00 00 00 00 00 00 00 ........
    00E0:00 00 00 00 00 00 00 00 ........
    00E8:00 00 00 00 63 82 53 63 ....c‚Sc
    00F0:35 01 01 FB 01 01 3D 07 5..û..=.
    00F8:01 00 50 56 C0 00 01 0C ..PVÀ...
    0100:05 61 6E 64 72 65 3C 08 .andre<.
    0108:4D 53 46 54 20 35 2E 30 MSFT 5.0
    0110:37 0A 01 0F 03 06 2C 2E 7.....,.
    0118:2F 1F 21 2B FF 00 00 00 /!+ÿ...
    0120:00 00 00 00 00 00 00 00 ........
    0128:00 00 00 00 ....

    Please help! These alerts don't stop!!!
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    For the first packet I don't know exactly what is the problem, but you should check if the MAC address of the blocked packet are correct.
    If the MAC address of your PC is not 00:02:A4:00:A0:E2 it is perhaps normal to have alerts on these packets.

    For the second packet it seems your PC is using DHCP protocol to get its IP.

    Frederic
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.