Snort mailing list archives
More on the "BAD TRAFFIC udp port 0" front
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 7 May 2002 15:41:41 +1200
I'm now sure this is fragmentation related... We're getting this snort alert quite often, so I ran up tcpdump and captured packets from one of the hosts that appeared to be generating such events. What I'm seeing is that when snort says "BAD TRAFFIC udp port 0", I see a fragment. The remote host in question is an Active Directory controller trying to talk to our Active Directory controller. It uses Kerberos over NetBIOS and the packets are indeed big enough to cause fragmentation - esp. as we run our WAN over IPSec tunnels (MTU: 1460). It looks like snorts defrag preprocessor isn't assosiating these packets with the rest of the session? I have tried "frag2" and "defrag" - neither makes any difference. Trying "defrag2" makes snort-1.8.6 return: *WARNING*: unknown preprocessor "defrag2", ignoring - so something's amiss there! Anyway, even though I can time-correlate tcpdump seeing a fragment with snort forming an alert, if I feed the tcpdump capture back into snort - it doesn't trigger an alert... --- SNORT ALERT ----- grep " snort: " /var/adm/messages |grep BAD|grep 11:33:54 May 6 11:33:54 ids snort: [1:525:4] BAD TRAFFIC udp port 0 traffic [Classification: Misc activity] [Priority: 3]: <eth2> {UDP} 5.6.7.8:0 -> 1.2.3.4:0 ---------------------- ------- TCPDUMP ------------- tcpdump -n -r /tmp/tcp.log -l|grep 11:33:54 11:33:54.827850 5.6.7.8 > 1.2.3.4: (frag 43822:11@1416) 11:33:54.851794 5.6.7.8.53032 > 1.2.3.4.kerberos: (frag 43822:1416@0+) 11:33:54.860379 1.2.3.4.kerberos > 5.6.7.8.53032: -------------------------- Any ideas, I still have the tcpdump trace if anyone's interested... -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More on the "BAD TRAFFIC udp port 0" front Jason Haar (May 06)