Hi, look event : Jun 21 18:12:01 xxx 11 firestorm-nids053: 1056211921.440716 alert=sig.tcp sig=1431.4 priority=2 src=217.128.40.199 dst=24.78.142.0 proto=6 spt=4662 dpt=3889 flags=*S**A*** from=server server=SYN_SENT client=SYN_RECV : BAD TRAFFIC syn to multicast address look this rules : (include in firestorm053) /xxx/snort-rules/bad-traffic.rules:alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD TRAFFIC syn to multicast address"; flags:S+; classtype:bad-unknown; sid:1431; rev:4;) and read tcpdump file (join): 18:12:01.440705 24.78.142.0.3889 > 217.128.40.199.4662: S [tcp sum ok] 311693554:311693554(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 113, id 53684, len 48) ... yes not multicast ip, but I have xxx.xxx.xxx.0 ip ! (yes this traffic is p2p edonkey) firestorm 053 and previous have same pb ... I use firestorm-nids on freebsd48 with syslog patch. Regard.
Attachment:
firestorm-badtrafficsyntomulticastaddress.tcpdump.gz
Description: GNU Zip compressed data