Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: is this an attack?

From: Blake Frantz <blake () mc net>
Date: Mon, 28 Jan 2002 11:48:30 -0600 (CST)

I don't view these packet traces as SYN scans.  If you look in the packet
you can see that cpfw sent a QUIT command to your server, this implies the
use of an application that is 'smarter' than a simple SYN scanner, maybe a
broke mail client.

Also,  this appears to be one connection.

cpfw:      SYN     (connect request)
antispam : SYN ACK (ack the request, send ISN)
cpfw:      ACK     (ack ISN)
<bunch of  PSH'es> (smtp conversation)
cpfw:      FIN     (request to close connection)
antispam:  ACK     (ack close request)
cpfw:      RST     (close connection)

Have you tried correlating these events with connections in your fw state
table to determin which box behind your your firewall is causing this?

(assuming your firewall is nat'ing your private lan)

-Blake


-> Hi dudes,
-> 
-> I am receiving a lot of smtp connection atttempts from our checkpoint
-> firewall-1. Is it an attack? Looks like a SYN scan to me coz 
-> I never see
-> any HELO transaction in the /var/log/maillog.
-> 
-> 01:24:49.777645 cpfw.20771 > antispam.remingtonltd.com.smtp: S
-> 1715098950:1715098950(0) win 5840 <mss 1460,nop,nop,sackOK> (DF)
->   0000: 4500 0030 9fc1 4000 7f06 ee00 41c0 7541  E..0.?@...?.A?uA
->   0010: 41c0 7544 5123 0019 663a 5546 0000 0000  A?uDQ#..f:UF....
->   0020: 7002 16d0 f18c 0000 0204 05b4 0101 0402  p..??......?....
-> 
-> 01:24:49.777760 antispam.remingtonltd.com.smtp > cpfw.20771: S
-> 2880971570:2880971570(0) ack 1715098951 win 17520 <mss
-> 1460,nop,nop,sackOK> (DF)
->   0000: 4500 0030 59f4 4000 4006 72ce 41c0 7544  E..0Y?@.@.r?A?uD
->   0010: 41c0 7541 0019 5123 abb8 2332 663a 5547  A?uA..Q#??#2f:UG
->   0020: 7012 4470 f4f0 0000 0204 05b4 0101 0402  p.Dp??.....?....
-> 
-> 01:24:49.778486 cpfw.20771 > antispam.remingtonltd.com.smtp: 
-> . ack 1 win
-> 5840 (DF)
->   0000: 4500 0028 9fc2 4000 7f06 ee07 41c0 7541  E..(.?@...?.A?uA
->   0010: 41c0 7544 5123 0019 663a 5547 abb8 2333  A?uDQ#..f:UG??#3
->   0020: 5010 16d0 4f55 0000 0000 0000 0000       P..?OU........
-> 
-> 01:24:49.781016 antispam.remingtonltd.com.smtp > cpfw.20771: P
-> 1:107(106) ack 1 win 17520 (DF)
->   0000: 4500 0092 21f2 4000 4006 aa6e 41c0 7544  E...!?@.@.?nA?uD
->   0010: 41c0 7541 0019 5123 abb8 2333 663a 5547  A?uA..Q#??#3f:UG
->   0020: 5018 4470 960f 0000 3232 3020 616e 7469  P.Dp....220 anti
->   0030: 7370 616d 2e72 656d 696e 6774 6f6e 6c74  spam.remingtonlt
->   0040: 642e 636f 6d20 4553 4d54 5020 5365 7276  d.com ESMTP Serv
->   0050: 6572                                     er
-> 
-> 01:24:49.781930 cpfw.20771 > antispam.remingtonltd.com.smtp: P 1:7(6)
-> ack 107 win 5734 (DF)
->   0000: 4500 002e 9fc3 4000 7f06 ee00 41c0 7541  E....?@...?.A?uA
->   0010: 41c0 7544 5123 0019 663a 5547 abb8 239d  A?uDQ#..f:UG??#.
->   0020: 5018 1666 a793 0000 5155 4954 0d0a       P..f?...QUIT..
-> 
-> 01:24:49.781990 antispam.remingtonltd.com.smtp > cpfw.20771: 
-> . ack 7 win
-> 17514 (DF)
->   0000: 4500 0028 5ad7 4000 4006 71f3 41c0 7544  E..(Z?@.@.q?A?uD
->   0010: 41c0 7541 0019 5123 abb8 239d 663a 554d  A?uA..Q#??#.f:UM
->   0020: 5010 446a 214b 0000                      P.Dj!K..
-> 
-> 01:24:49.782264 antispam.remingtonltd.com.smtp > cpfw.20771: P
-> 107:116(9) ack 7 win 17520 (DF)
->   0000: 4500 0031 799a 4000 4006 5327 41c0 7544  E..1y.@.@.S'A?uD
->   0010: 41c0 7541 0019 5123 abb8 239d 663a 554d  A?uA..Q#??#.f:UM
->   0020: 5018 4470 0c5b 0000 3232 3120 4279 650d  P.Dp.[..221 Bye.
->   0030: 0a                                       .
-> 
-> 01:24:49.782313 antispam.remingtonltd.com.smtp > cpfw.20771: F
-> 116:116(0) ack 7 win 17520 (DF)
->   0000: 4500 0028 2ffa 4000 4006 9cd0 41c0 7544  E..(/?@.@..?A?uD
->   0010: 41c0 7541 0019 5123 abb8 23a6 663a 554d  A?uA..Q#??#?f:UM
->   0020: 5011 4470 213b 0000                      P.Dp!;..
-> 
-> 01:24:49.783043 cpfw.20771 > antispam.remingtonltd.com.smtp: 
-> . ack 117
-> win 5725 (DF)
->   0000: 4500 0028 9fc4 4000 7f06 ee05 41c0 7541  E..(.?@...?.A?uA
->   0010: 41c0 7544 5123 0019 663a 554d abb8 23a7  A?uDQ#..f:UM??#?
->   0020: 5010 165d 4f4e 0000 0000 0000 0000       P..]ON........
-> 
-> 01:24:49.878137 cpfw.20771 > antispam.remingtonltd.com.smtp: F 7:7(0)
-> ack 117 win 5725 (DF)
->   0000: 4500 0028 9ffb 4000 7f06 edce 41c0 7541  E..(.?@...??A?uA
->   0010: 41c0 7544 5123 0019 663a 554d abb8 23a7  A?uDQ#..f:UM??#?
->   0020: 5011 165d 4f4d 0000 0000 0000 0000       P..]OM........
-> 
-> 01:24:49.878197 antispam.remingtonltd.com.smtp > cpfw.20771: 
-> . ack 8 win
-> 17520 (DF)
->   0000: 4500 0028 66c1 4000 4006 6609 41c0 7544  E..(f?@.@.f.A?uD
->   0010: 41c0 7541 0019 5123 abb8 23a7 663a 554e  A?uA..Q#??#?f:UN
->   0020: 5010 4470 213a 0000                      P.Dp!:..
-> 
-> 01:24:49.878794 cpfw.20771 > antispam.remingtonltd.com.smtp: R
-> 1715098958:1715098958(0) win 0
->   0000: 4500 0028 9ffd 0000 7f06 2dcd 41c0 7541  E..(.?....-?A?uA
->   0010: 41c0 7544 5123 0019 663a 554e 663a 554e  A?uDQ#..f:UNf:UN
->   0020: 5004 0000 798d 0000 0000 0000 0000       P...y.........
-> 
-> 
-> Please explain. Thanks.
-> 
-> 
->   
-> neil camara (ronneilc () remingtonltd com) - cc{na|sa}, mcse - pgp
-> 0x777777B2 
-> network/security engineer - dl := +1(847)2.21.0.224 cn :=
-> +1(847)9.80.17.53 
->         echo "I love windows" | sed -e 's/wi/u/g' | cut -f1 -dd | \
->               awk '/u/ {printf("%s %s %six\n",$1,$2,$3)}'
-> -------------------------------------------------------------
-> -----------
-> -- 
->                  ---o0 Statement of Confidentiality 0o--- 
-> The contents of this message and its attachments and subsequent
-> additions are 
-> strictly confidential and proprietary and intended solely for the
-> addressee(s) 
-> hereof.  If you are not the named addressee, or this message has been
-> addressed 
-> to you in error, you are directed not to read, disclose, reproduce,
-> distribute, 
-> disseminate or otherwise use thistransmission.  Delivery of 
-> this message
-> to 
-> any other person other than the intended recipient(s) is not 
-> intended in
-> any 
-> way to waive privilege or confidentiality.  If you have received this
-> transmis- 
-> sion in error, please alert the sender by reply e-mail; we 
-> also request
-> that 
-> you immediately delete this message and its attachments, if any. 
-> 
-> 
-> 
-> 
-> 
-> _______________________________________________
-> Snort-users mailing list
-> Snort-users () lists sourceforge net
-> Go to this URL to change user options or unsubscribe:
-> https://lists.sourceforge.net/lists/listinfo/snort-users
-> Snort-users list archive:
-> http://www.geocrawler.com/redir-sf.php3?list=ort-users
-> 
-> 
-> _______________________________________________
-> Snort-users mailing list
-> Snort-users () lists sourceforge net
-> Go to this URL to change user options or unsubscribe:
-> https://lists.sourceforge.net/lists/listinfo/snort-users
-> Snort-users list archive:
-> http://www.geocrawler.com/redir-



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: