Snort mailing list archives
Incident Identification
From: "Frank Reid" <fcreid () ourcorner org>
Date: Sun, 23 Dec 2001 21:34:38 -0500
I'm seeing a pattern of these alerts against a few hosts (destination port
tcp 53) and, it appears, a payload of nulls. Does anyone know whether these
occur benignly or whether they're associated with some probe. Is it
possible they're trying to co-opt DNS services to tunnel through a stateful
inspection firewall? Thanks!
Frank
BAD TRAFFIC data in TCP SYN packet
IPv4: A.B.C.D-> W.X.Y.Z
hlen=5 TOS=0 dlen=64 ID=13603 flags=0 offset=0 TTL=244 chksum=18433
TCP: port=2402 -> dport: 53 flags=******S* seq=2027431866
ack=0 off=5 res=0 win=2048 urp=0 chksum=46093
Payload: length = 24
000 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
010 : 00 00 00 00 00 00 00 00 ........
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNORT DROPPING PACKETS Bartholomew Simpson (Dec 22)
- <Possible follow-ups>
- RE: SNORT DROPPING PACKETS Crow, Owen (Dec 22)
- RE: SNORT DROPPING PACKETS Greg Herlein (Dec 23)
- RE: SNORT DROPPING PACKETS Crow, Owen (Dec 23)
- Re: SNORT DROPPING PACKETS Chris Green (Dec 23)
- Re: SNORT DROPPING PACKETS Phil Wood (Dec 23)
- Incident Identification Frank Reid (Dec 23)
- Re: Incident Identification Phil Wood (Dec 23)
- same SRC/DST James (Dec 24)
- Re: same SRC/DST Kyle R Maxwell (Dec 25)
- Re: same SRC/DST James (Dec 25)
- Re: same SRC/DST Ashley Thomas (Dec 25)
- Re: Incident Identification (data in TCP syn packet) Matt Kettler (Dec 26)
- Re: Incident Identification (data in TCP syn packet) james (Dec 26)
- I want to dump full packets, but just for one rule james (Dec 26)
- Re: SNORT DROPPING PACKETS Phil Wood (Dec 23)