I still use Base as a web frontend to my snort installation. I know a lot of people are using things like Snorby now, but I think Base does everything I need it to do. Anyway, I was looking at Base this afternoon and I noticed over 200 new alerts.
All of the alerts were from my main router and they were of the type "ICMP Test". Closer examination showed that the router was trying to ping a machine that was unreachable. Since my router also acts as my DNS and DHCP server, I checked the syslog on that machine.
The syslog was full of DHCP offers to the same IP address that snort was showing as unreachable. I took the MAC address and ran it through an online MAC to vendor lookup and it showed me that it was a MAC from Motorola CHS. I went through the house restarting all of my Motorola cable boxes. Since doing that I noticed that the DHCP log shows that an acknowledgment was sent in response to the DHCP offer. Snort has also stopped alerting for that particular ICMP Test.
I guess one of the cable boxes just got hung up a bit. It happens from time to time. Usually I don't catch the problem until it is too late (e.g. my favorite TV shows aren't recording as scheduled in the DVR). Thanks to Snort and Base, that won't be a problem tonight.
No comments:
Post a Comment