Snort mailing list archives
RE: Interesting traffic...
From: Mark Mason <mark.mason () grandecom com>
Date: Wed, 27 Feb 2002 15:29:07 -0600
Thanks, that helps. I probably should have also included the fact that my network is comprised of WANs and VLANS. My central router that most traffic has to go through is set up to drop packets from the 127.0.0.0 network. "access-list 101 deny ip 127.0.0.0 0.255.255.255 any" Most traffic on my network has to go through the router, unless it is on the same VLAN as the router, but the only thing on that VLAN is network equipment. So while it does appear to be generated internally, I am confused as to how it even got to my firewall (where snort is looking at). -----Original Message----- From: Scott Taylor [mailto:scottt () soccer com] Sent: Tuesday, February 26, 2002 6:28 PM To: Mark Mason Subject: Re: [Snort-users] Interesting traffic... with the TcpLen: 40 (which is the packet length) and the mss set which adds 4bytes to the packet your minimum packet length should be 44. So it looks like it isn't a valid packet. It's crafted or custom. Also and two nop's in the tcp header would lead me to believe it's comming from a 2000 host? I'm just learning this stuff so don't take it as gospel. You should find out where that's comming from. What's weird is the 1 nop in the ip options portion...... Hopefully someone here will have a better light to shine on this one. Cheers, Scott [**] [1:528:2] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 02/26-11:25:30.667238 127.0.0.1:15158 -> xxx.xxx.xxx.xxx:6473 TCP TTL:63 TOS:0x0 ID:9155 IpLen:28 DgmLen:68 DF IP Options (2) => LSRR NOP ******S* Seq: 0x1BE3F7DA Ack: 0x0 Win: 0xFFFF TcpLen: 40 TCP Options (6) => MSS: 16344 NOP WS: 1 NOP NOP TS: 281854 0 [**] [1:528:2] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 02/26-11:25:33.657238 127.0.0.1:15158 -> xxx.xxx.xxx.xxx:6473 TCP TTL:63 TOS:0x0 ID:9156 IpLen:28 DgmLen:68 DF IP Options (2) => LSRR NOP ******S* Seq: 0x1BE3F7DA Ack: 0x0 Win: 0xFFFF TcpLen: 40 TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP TS: 282154 0 [**] [1:528:2] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 02/26-11:25:36.657238 127.0.0.1:15158 -> xxx.xxx.xxx.xxx:6473 TCP TTL:63 TOS:0x0 ID:9157 IpLen:28 DgmLen:68 DF IP Options (2) => LSRR NOP ******S* Seq: 0x1BE3F7DA Ack: 0x0 Win: 0xFFFF TcpLen: 40 TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP TS: 282454 0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snor t-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3? list=snort-users ---- End Original Message ---- THERE IS ONLY ONE... SOCCER.COM, The Center of the Soccer Universe http://www.soccer.com
<<application/ms-tnef>>
Current thread:
- Interesting traffic... Mark Mason (Feb 26)
- Re: Interesting traffic... Ashley Thomas (Feb 26)
- Re: Interesting traffic... Jason Haar (Feb 26)
- Re: Interesting traffic... Ashley Thomas (Feb 26)
- Re: Interesting traffic... Jason Haar (Feb 26)
- Re: Interesting traffic... Ashley Thomas (Feb 26)
- <Possible follow-ups>
- Re: Interesting traffic... Scott Taylor (Feb 26)
- RE: Interesting traffic... Mark Mason (Feb 27)