Snort mailing list archives
Incident Identification
From: "Frank Reid" <fcreid () ourcorner org>
Date: Sun, 23 Dec 2001 21:34:38 -0500
I'm seeing a pattern of these alerts against a few hosts (destination port tcp 53) and, it appears, a payload of nulls. Does anyone know whether these occur benignly or whether they're associated with some probe. Is it possible they're trying to co-opt DNS services to tunnel through a stateful inspection firewall? Thanks! Frank BAD TRAFFIC data in TCP SYN packet IPv4: A.B.C.D-> W.X.Y.Z hlen=5 TOS=0 dlen=64 ID=13603 flags=0 offset=0 TTL=244 chksum=18433 TCP: port=2402 -> dport: 53 flags=******S* seq=2027431866 ack=0 off=5 res=0 win=2048 urp=0 chksum=46093 Payload: length = 24 000 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 010 : 00 00 00 00 00 00 00 00 ........ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNORT DROPPING PACKETS Bartholomew Simpson (Dec 22)
- <Possible follow-ups>
- RE: SNORT DROPPING PACKETS Crow, Owen (Dec 22)
- RE: SNORT DROPPING PACKETS Greg Herlein (Dec 23)
- RE: SNORT DROPPING PACKETS Crow, Owen (Dec 23)
- Re: SNORT DROPPING PACKETS Chris Green (Dec 23)
- Re: SNORT DROPPING PACKETS Phil Wood (Dec 23)
- Incident Identification Frank Reid (Dec 23)
- Re: Incident Identification Phil Wood (Dec 23)
- same SRC/DST James (Dec 24)
- Re: same SRC/DST Kyle R Maxwell (Dec 25)
- Re: same SRC/DST James (Dec 25)
- Re: same SRC/DST Ashley Thomas (Dec 25)
- Re: Incident Identification (data in TCP syn packet) Matt Kettler (Dec 26)
- Re: Incident Identification (data in TCP syn packet) james (Dec 26)
- I want to dump full packets, but just for one rule james (Dec 26)
- Re: SNORT DROPPING PACKETS Phil Wood (Dec 23)