Snort mailing list archives
Re: Incident Identification
From: Phil Wood <cpw () lanl gov>
Date: Sun, 23 Dec 2001 21:34:02 -0700
Is W.X.Y.Z a bonified Domain Name Server? If so, it could just be some broken client software attempting to connect to the server. You might want to see if a 3 way handshake happened and real request was sent and honored. Otherwise, it probably is a probe. As it stands there is not enough information to zero in on just what it is all about. On Sun, Dec 23, 2001 at 09:34:38PM -0500, Frank Reid wrote:
I'm seeing a pattern of these alerts against a few hosts (destination port tcp 53) and, it appears, a payload of nulls. Does anyone know whether these occur benignly or whether they're associated with some probe. Is it possible they're trying to co-opt DNS services to tunnel through a stateful inspection firewall? Thanks! Frank BAD TRAFFIC data in TCP SYN packet IPv4: A.B.C.D-> W.X.Y.Z hlen=5 TOS=0 dlen=64 ID=13603 flags=0 offset=0 TTL=244 chksum=18433 TCP: port=2402 -> dport: 53 flags=******S* seq=2027431866 ack=0 off=5 res=0 win=2048 urp=0 chksum=46093 Payload: length = 24 000 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 010 : 00 00 00 00 00 00 00 00 ........ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNORT DROPPING PACKETS Bartholomew Simpson (Dec 22)
- <Possible follow-ups>
- RE: SNORT DROPPING PACKETS Crow, Owen (Dec 22)
- RE: SNORT DROPPING PACKETS Greg Herlein (Dec 23)
- RE: SNORT DROPPING PACKETS Crow, Owen (Dec 23)
- Re: SNORT DROPPING PACKETS Chris Green (Dec 23)
- Re: SNORT DROPPING PACKETS Phil Wood (Dec 23)
- Incident Identification Frank Reid (Dec 23)
- Re: Incident Identification Phil Wood (Dec 23)
- same SRC/DST James (Dec 24)
- Re: same SRC/DST Kyle R Maxwell (Dec 25)
- Re: same SRC/DST James (Dec 25)
- Re: same SRC/DST Ashley Thomas (Dec 25)
- Re: Incident Identification (data in TCP syn packet) Matt Kettler (Dec 26)
- Re: Incident Identification (data in TCP syn packet) james (Dec 26)
- I want to dump full packets, but just for one rule james (Dec 26)
- Re: SNORT DROPPING PACKETS Phil Wood (Dec 23)