Re: BAD TRAFFIC data in TCP SYN packet

[Chris Keladis <Chris.Keladis () cmc cwo net au>]

Lars Jørgensen IT wrote:


Hi Lars,

> I get a lot of
>
> 01/14-02:24:17.089098  [**] [1:526:3] BAD TRAFFIC data in TCP SYN packet
> [**] [Classification: Misc activity] [Priority: 3] {TCP} 207.46.106.84:29291
> -> 172.40.20.235:53
>
> 172.40.20.235 is my DNS server, but why would clients put data in the syn
> packets? According to RIPE, the source address is "ALLOCATED UNSPECIFIED",
> so I can't find out who's doing this. It comes from a limited number of
> addresses, they all seem to be 207.xx.xxx.xxx.
>
> I tried Google, but to no avail. Can anybody shed some light on this?

I saw a bunch of these as well, today.

They reverse-resolve to *.windowsupdate.com

Unfortunately i havent taken a full dump of the conversation yet to see
if the conversation goes any further than the SYN or if they are just
spoofed SYNs.

There doesn't appear to be anything malicious in the payload, although
it could be a probe to fingerprint systems. (just a guess).

In any case it's something that shouldn't be there. Perhaps if someone
else logs the whole transaction we can gain further insight.




Regards,

Chris.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users