Strange traffic in Snort logs

Yesterday, I was messing around with an older machine which had an older version (and rules) of Snort.

I let it run overnight, sniffing internal network traffic. Today, I checked the logs and saw the following:

root@slackbox:/var/log/snort# cat alert | grep 204.176.49.2
10.150.1.133:32834 -> 204.176.49.2:80 TCP TTL:63 TOS:0x0 ID:40635 IpLen:20 DgmLen:576 DF
10.150.1.133:32882 -> 204.176.49.2:80 TCP TTL:63 TOS:0x0 ID:22086 IpLen:20 DgmLen:576 DF

The whole trace is here, since Blogger tends to choke on Hex payload

So, I've a few questions:

1. Who is 10.150.1.133?

2. Who is 204.176.49.2 and 204.176.49.9?

3. So, I have a Tivo system in the house (the payload confirms this). Why is my Tivo calling out to an IP address that is owned by Verizon Business?

4. Why is my production internal Snort sensor not picking up this traffic but this test internal sensor is?

I've some answers to those questions:

1. 10.150.1.133 is a WRT54GX4 Linksys router. This was somewhat difficult for me to find out, because my main router doesn't normally chat to this particular router (it is isolated). The WRT54GX4's sole purpose is to provide internet connectivity for my Tivo. The Tivo is using an old USB wifi connection that only has WEP support, so I use the WRT54GX4 to provide connectivity for the Tivo, lessening the risk in using WEP by isolating the WAP from the rest of the network. In order for me to find out what IP the Tivo is using, I'd have to sniff the traffic on the WRT54GX4's network, which I don't normally do. What I did instead was ping the IP, then check the arp table of the machine I pinged from. This told me the hostname and MAC address of the IP. Once I saw the hostname, I knew it had to be the Tivo generating this traffic (the payload above also helped).

2. I did a 'whois' search on IPs 204.176.49.2 and 204.176.49.9. Both show as belonging to Verizon Business. What threw me for a loop was that I was expecting it to show as owned by Tivo. After thinking on this a bit, it is more than likely that Verizon Business is providing IP space to Tivo (and maybe other hosting services). That is news to me, since I actually work for Verizon Business and am heavily involved in networking services.

3. I conducted Google searches on the IPs and came up with tons of hits. Some hits documented people who saw traffic outbound from their network to those IPs and they were concerned, but most of the hits show that the outbound connections are part of the Tivo service.

4. It is obvious that I have to compare the two internal Snort sensor's config files, specifically the http_inspect settings. Both internal sensors are on the same subnet (the Tivo is not...the WRT router is behind my main router and uses different IP space...the Tivo is behind this router), so both should've seen it. This leads me to believe that I've been missing some internal traffic, so I'll look into this issue soon.

I just wanted to post this so that when/if everyone that owns a Tivo sees such traffic, they won't get alarmed (I didn't see a specific page that stated that this was normal traffic).

Latest Happenings...

Hey all...it's been awhile.

What's been happening? I've upgraded my Slackware machine to v12.0, wiping my partitions and doing a fresh install. Why? I'd been upgrading my Slack install since v10.0 and the install was becoming rather stagnant, so I backed up the important things and did a reinstall with little issues. I'm not quite done setting things up yet (like grabbing the latest graphics drivers (Nvidia) and testing compiz). I'm quite happy with v12.0, although I've got my work cut out for me concerning learning the differences between this version and the last...I know there were some rather substantial changes, from what I've heard.

What else have I been doing? Devlving in FreeBSD and OpenBSD a bit more. I've converted my FreeBSD machine's firewall from ipf to pf. The .conf files use similar syntax but the command structure is quite different, along with the number of functions that pf can perform. pf appears quite a bit more robust than ipf...ipf appears to be a minor reflection of pf. I'm definitely learning things, but the machine that pf is running on only serves SSH connections, but that's quit enough for me at this point in time.

I've also decided to reflash my Linksys router to an opensource firmware called Tomato. It runs on the WRT54G/GS, some Buffalo, and Broadcom-based routers. It appears very robust and easy to set up. It is also easy to revert back to the original firmware. I recommend giving this one a shot. It is not meant to be something akin to OpenWRT or similar...it's designed to be and stay light and fast, which it is, but is also has plugins for functionality that may be mandatory for the above-average hacker.

I've also just returned from vacation in California. I think I may end up buying a home there, near the San Diego area, as that place is so much different than where I'm at now, plus we'll be close to relatives and nice vacation sites. I just have to start conducting employment research so I can see what that area can offer me, employment-wise. It may mean me going to a different part of the IT arena (sysadmin or something similar). I don't mind changing my job a bit, as long as I stay in some type of management position.

What projects do I have or plan on conducting? I intend to clean up my office and turning off some hardware or consolidating some server duties, because my office looks like a rat's nest. It's partly because there are no power outlets in my office (!!). Yeah, I'm renting and the prior owners finished the basement but appeared to be in such a rush that they neglected to put the power outlets back in place. I think I can do one (maybe with my father's help)...one may be enough. Right now, I've a beefy power cord running from the storage area to my office space...everything is attached to that one strip (yeah, a bit dangerous, but I spend a bit of money on beefy surge protection).

Well, I think this post more than makes up for the last few weeks/months of non-activity. I shall try to be more vigilant in posting in the future (famous last words).