Snort mailing list archives

Previous By Date Next
Previous By Thread Next

strange data

From: "Leonardo Rodrigues" <coelho () persogo com br>
Date: Thu, 1 Nov 2001 10:56:32 -0300

    Hello Guys,

    I know this isnt exactly a snort related question. Altough, as I'm
sure there are a lot of persons that are involved with
network/traffic/software stuff, I think somebody can help me here ....

    I got with snort a very strange traffic flowing from one of my NT
servers apparently for a LOT of internet broadcast addresses. They are
being correctly NOT forwarded by my firewall ( linux+ipchains ). But, I
dont have any idea of WHAT can be generating this strange traffic. Its
being originated on 1029/udp port, and snort log shows:

[**] Strange Traffic [**]
11/01-10:26:39.935238 192.6.1.190:1029 -> 200.246.167.255:41508
UDP TTL:128 TOS:0x0 ID:49620 IpLen:20 DgmLen:216
Len: 196
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 4E 54 53 41 47 41 00 00 DC 01 00 00  ....NTSAGA......
70 FF 97 01 76 CB F1 77 01 00 1F 00 00 00 00 00  p...v..w........
00 9C FD 7F 00 00 00 00 A0 CC F1 77 D8 00 00 00  ...........w....
00 00 00 00 32 30 37 30 34 37 34 00 00 00 04 00  ....2070474.....
00 00 04 00 00 00 13 00 30 E6 36 3A 00 00 13 00  ........0.6:....
30 89 39 3A 0C 00 00 00 11 10 00 00              0.9:........

    NTSAGA is my NT Netbios name. Looking on ports database, I couldnt
find any entry for 1029/UDP.

    Do you have any idea of what can be generating this traffic ??

    Sincerily,
    Leonardo Rodrigues
    Persocom Network



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: