Snort mailing list archives
Help! Very wierd traffic.
From: Yonah Russ <yonah () jct ac il>
Date: 19 Feb 2003 19:30:21 +0200
Hi, I am getting some very wierd traffic from a network. It shows up in snort as NMAP TCP Scans and MISC source port 53 < 1024 alerts but there really seems to be a whole conversation- I can't figure out what the conversation is about though- it doesn't match any protocol in ethereal. Here is a dump of the traffic- any ideas? 02/19-16:39:34.375895 212.25.105.34:55 -> xxx.xxx.xxx.xxx:37852 UDP TTL:55 TOS:0x0 ID:46272 IpLen:20 DgmLen:38 Len: 18 00 00 00 00 00 00 00 00 00 00 .......... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/19-16:39:34.376092 xxx.xxx.xxx.xxx -> 212.25.105.34 ICMP TTL:255 TOS:0x0 ID:27737 IpLen:20 DgmLen:66 DF Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 212.25.105.34:55 -> xxx.xxx.xxx.xxx:37852 UDP TTL:55 TOS:0x0 ID:46272 IpLen:20 DgmLen:38 Len: 18 ** END OF DUMP 45 00 00 26 B4 C0 00 00 37 11 FD 25 D4 19 69 22 E..&....7..%..i" 93 A1 01 04 00 37 93 DC 00 12 99 D5 00 00 00 00 .....7.......... 00 00 00 00 00 00 ...... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/19-16:39:34.376328 212.25.105.34:80 -> xxx.xxx.xxx.xxx:53 TCP TTL:55 TOS:0x0 ID:46274 IpLen:20 DgmLen:40 ***A**** Seq: 0x38A Ack: 0x0 Win: 0x578 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/19-16:39:34.376424 xxx.xxx.xxx.xxx:53 -> 212.25.105.34:80 TCP TTL:64 TOS:0x0 ID:27738 IpLen:20 DgmLen:40 DF *****R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/19-16:39:34.376758 212.25.105.34:53 -> xxx.xxx.xxx.xxx:53 TCP TTL:55 TOS:0x0 ID:46275 IpLen:20 DgmLen:40 ******S* Seq: 0x4EB90C61 Ack: 0x0 Win: 0x578 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/19-16:39:34.376926 xxx.xxx.xxx.xxx:53 -> 212.25.105.34:53 TCP TTL:64 TOS:0x0 ID:27739 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0x78F6EB69 Ack: 0x4EB90C62 Win: 0xC0A0 TcpLen: 24 TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/19-16:39:37.738097 xxx.xxx.xxx.xxx:53 -> 212.25.105.34:53 TCP TTL:64 TOS:0x0 ID:27740 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0x78F6EB69 Ack: 0x4EB90C62 Win: 0xC0A0 TcpLen: 24 TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/19-16:39:39.372827 212.25.105.34:53 -> xxx.xxx.xxx.xxx:53 TCP TTL:55 TOS:0x0 ID:46590 IpLen:20 DgmLen:40 *****R** Seq: 0x4EB90C62 Ack: 0x0 Win: 0x578 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard woes Joerg Weber (Feb 18)
- Re: Barnyard woes Ken Gunderson (Feb 18)
- Re: Barnyard woes Paul Schmehl (Feb 18)
- Re: Barnyard woes Andrew R. Baker (Feb 18)
- Re: Barnyard woes Ken Gunderson (Feb 19)
- Re: Barnyard woes Andrew R. Baker (Feb 19)
- Re: Barnyard woes Ken Gunderson (Feb 19)
- Help! Very wierd traffic. Yonah Russ (Feb 19)
- Re: Help! Very wierd traffic. Matt Kettler (Feb 19)
- Re: Help! Very wierd traffic. Yonah Russ (Feb 19)
- Re: Help! Very wierd traffic. Frank Knobbe (Feb 19)
- Re: Barnyard woes Ken Gunderson (Feb 19)
- Re: Barnyard woes Ken Gunderson (Feb 18)