[Oisf-users] Finding the source of a broadcast

robert.jamison at bt.com robert.jamison at bt.com
Fri Apr 24 15:29:03 UTC 2015 

Perhaps Slingbox?  Echostar (parent company registering 00:0d:c5) owns both Sling and Hughes (link: http://en.wikipedia.org/wiki/EchoStar) and a posting (below) points 00:0d:c5 prefix to the a SlingBox device:

                static-mapping Slingbox-350 {
                    ip-address 10.0.1.10
                    mac-address 00:0d:c5:00:00:00

(link: https://community.ubnt.com/t5/EdgeMAX/Ports-Do-Not-Open-Close-When-Forwarded/td-p/1137453)



Rob Jamison |  Assure Intelligence | BT Security

-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of James Moe
Sent: Friday, April 24, 2015 2:19 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: [Oisf-users] Finding the source of a broadcast

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
  suricata 2.0.7
  linux v3.16.7-7-desktop x86_64

  One of the alerts generated by suricata is for a "VLAN unknown type." It is, however, a broadcast from a device that implements a Spanning Tree Protocol (STP). This would imply a router.
  All I have is the MAC address of the device that is generating the broadcasts; they occur every 2 seconds. It does not match with any of the known devices or hosts on our network. Also: "This kernel does not support RARP." Hmph.

Ethernet II, Src: Echostar_17:53:1f (00:0d:c5:17:53:1f), Dst:
Broadcast (ff:ff:ff:ff:ff:ff)

  Can any one suggest a method of finding which device is emitting the broadcast?

- --
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlU54FMACgkQzTcr8Prq0ZPMBACfVHsOEz2Qi6/utVn7VH3YmAKY
hQ0AoKXo4de2qJ1KB6j6u3olrtOAAVws
=6mLD
-----END PGP SIGNATURE-----
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

More information about the Oisf-users mailing list