Snort mailing list archives

Previous By Date Next
Previous By Thread Next

BAD TRAFFIC bad frag bits, MISC Large UDP Packet and RPC portmap request bootparam

From: Todd Holloway <todd () duckland org>
Date: Wed, 23 Jan 2002 13:52:25 -0600
I'm evaluating Demarc's PureSecure (w/ Snort Version 1.8.3 (Build 88)).

When a newly setup Solaris 2.8 Jumpstart server..."jumpstarts" a
machine. I get quite a few alerts (like 4000+ :). 

I see the "ERRs" below from tcpdump on (version 3.6, libpcap version 0.6) Linux,
but not from the tcpdump (same version of both) on the Solaris 2.8 server.

What's going on?
I'm guessing it's something different in tcp stack implementation, but I'm missing it.

have a happy mind,
todd

______________________________
SIGNATURE: RPC portmap request bootparam
SRC IP: 1.1.1.1
DST IP: 255.255.255.255
______________________________
SIGNATURE: BAD TRAFFIC bad frag bits
SRC IP: 1.1.1.2
DST IP: 1.1.1.1
______________________________
SIGNATURE: BAD TRAFFIC bad frag bits
SRC IP: 1.1.1.2
DST IP: 1.1.1.1
______________________________
SIGNATURE: BAD TRAFFIC bad frag bits
SRC IP: 1.1.1.2
DST IP: 1.1.1.1
______________________________
SIGNATURE: BAD TRAFFIC bad frag bits
SRC IP: 1.1.1.2
DST IP: 1.1.1.1
______________________________
SIGNATURE: BAD TRAFFIC bad frag bits
SRC IP: 1.1.1.2
DST IP: 1.1.1.1
______________________________
SIGNATURE: MISC Large UDP Packet
SRC IP: 1.1.1.2
DST IP: 1.1.1.1
______________________________
SIGNATURE: BAD TRAFFIC bad frag bits
SRC IP: 1.1.1.2
DST IP: 1.1.1.1
______________________________

11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.4214770757: reply ERR 1460 (DF) (ttl 64, id 63315, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.3153343559: reply ERR 1460 (DF) (ttl 64, id 63316, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.2822450691: reply ERR 1460 (DF) (ttl 64, id 63317, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.1934238373: reply ERR 1460 (DF) (ttl 64, id 63318, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.3244921369: reply ERR 1460 (DF) (ttl 64, id 63319, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.346190187: reply ERR 1460 (DF) (ttl 64, id 63320, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.1646961569: reply ERR 1460 (DF) (ttl 64, id 63321, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.2722629544: reply ERR 1460 (DF) (ttl 64, id 63322, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.2076031598: reply ERR 648 (DF) (ttl 64, id 63323, len 688)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.3296674272: reply ok 132 (DF) (ttl 64, id 63324, len 172)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.4131376078: reply ERR 1460 (DF) (ttl 64, id 63325, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.1764277460: reply ERR 1460 (DF) (ttl 64, id 63326, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.2785970758: reply ERR 1460 (DF) (ttl 64, id 63327, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.2715686601: reply ERR 1460 (DF) (ttl 64, id 63328, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.3324449566: reply ERR 1460 (DF) (ttl 64, id 63329, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.2863339656: reply ERR 1460 (DF) (ttl 64, id 63330, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.1277245857: reply ERR 1460 (DF) (ttl 64, id 63331, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.2002626110: reply ERR 1460 (DF) (ttl 64, id 63332, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.2634077603: reply ERR 1460 (DF) (ttl 64, id 63333, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.3985510588: reply ERR 1460 (DF) (ttl 64, id 63334, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.3851470169: reply ERR 1460 (DF) (ttl 64, id 63335, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.2215298473: reply ERR 116 (DF) (ttl 64, id 63336, len 156)
11:33:20.305831 1.1.1.2.nfs > 1.1.1.1.3296674273: reply ok 116 (DF) (ttl 64, id 63337, len 156)
11:33:21.325880 1.1.1.2.nfs > 1.1.1.1.3296674274: reply ok 116 (DF) (ttl 64, id 63338, len 156)
11:33:21.325880 1.1.1.2.nfs > 1.1.1.1.3296674275: reply ok 116 (DF) (ttl 64, id 63339, len 156)
11:33:21.335881 1.1.1.2.nfs > 1.1.1.1.3296674276: reply ok 116 (DF) (ttl 64, id 63340, len 156)
11:33:21.335881 1.1.1.2.nfs > 1.1.1.1.3296674277: reply ok 120 (DF) (ttl 64, id 63341, len 160)
11:33:21.345881 1.1.1.2.nfs > 1.1.1.1.3296674278: reply ok 244 (DF) (ttl 64, id 63342, len 284)
11:33:21.345881 1.1.1.2.nfs > 1.1.1.1.3296674279: reply ok 124 (DF) (ttl 64, id 63343, len 164)
11:33:21.345881 1.1.1.2.nfs > 1.1.1.1.3296674280: reply ok 124 (DF) (ttl 64, id 63344, len 164)
11:33:21.345881 1.1.1.2.nfs > 1.1.1.1.3296674281: reply ok 132 (DF) (ttl 64, id 63345, len 172)
11:33:21.345881 1.1.1.2.nfs > 1.1.1.1.1030975585: reply ERR 784 (DF) (ttl 64, id 63346, len 824)

-- 

-- 
"This UI has been brought to you by the letters 'S' and 'K', and the runlevel 3." 
                                                - Greg Andrews 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: