Snort mailing list archives

Curious "Tagged Packet" alerts in ACID

From: Jeff Kell <jeff-kell () utc edu>
Date: Fri, 31 Dec 2004 20:44:39 -0500

I am getting a rather high (top 5) number of alerts showing up in ACIDdisplaying as simply "Tagged Packet" and having an sid=1, e.g.:

[snort] Tagged Packet unclassified 7118 (24%) 1 2 2 2004-12-31 18:02:59 2004-12-31 19:27:17


The URL given for reference is simply:
   http://www.snort.org/snort-db/sid.html?sid=1

Here is a sample whole formatted alert:

Generated by ACID v0.9.6b23 on Fri, 31 Dec 2004 20:34:30 -0500

------------------------------------------------------------------------------
#(1 - 805067) [2004-12-31 18:47:28] [snort/1]  Tagged Packet
IPv4: 64.12.165.56 -> 172.17.128.101
      hlen=5 TOS=0 dlen=152 ID=47551 flags=0 offset=0 TTL=51 chksum=31717
TCP:  port=7012 -> dport: 4618  flags=***AP*** seq=1474874013
      ack=1336104986 off=5 res=0 win=5840 urp=0 chksum=2798
Payload:  length = 112

000 : 3A 4C 6F 75 69 73 61 21 4C 6F 75 69 73 61 40 43   :Louisa!Louisa@C
010 : 42 35 45 36 43 30 30 2E 38 33 42 30 31 38 37 31   B5E6C00.83B01871
020 : 2E 42 36 44 45 36 36 34 39 2E 49 50 20 50 52 49   .B6DE6649.IP PRI
030 : 56 4D 53 47 20 23 65 6E 67 6C 69 73 68 20 3A 6E   VMSG #english :n
040 : 6F 62 6F 64 79 20 77 69 6C 6C 20 67 6F 20 6F 75   obody will go ou
050 : 74 20 74 6F 20 63 65 6C 65 62 72 61 74 65 20 74   t to celebrate t
060 : 68 65 20 6E 65 77 20 79 65 61 72 3F 3F 0D 0A 00   he new year??...


Where is this coming from?  I can't find a rule, only a mapping:

[root@aardvark snort]# grep Tagged ./*
./gen-msg.map:2 || 1 || tag: Tagged Packet


This is snort 2.2.0 Build 30 with freshly oinkmaster'ed rulesets from:

   www.snort.org/dl/rules/snortrules-stable.tar.gz and
   www.bleedingsnort.com/bleeding.rules.tar.gz

These seemed to start about the time I added the bleedingsnort rules,but this may just be a coincidence.


Jeff


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Curious "Tagged Packet" alerts in ACID Jeff Kell (Dec 31)
- RE: Curious "Tagged Packet" alerts in ACID Joe Patterson (Dec 31)
- RE: Curious "Tagged Packet" alerts in ACID Eric Hines (Jan 01)
- Re: Curious "Tagged Packet" alerts in ACID Frank Knobbe (Jan 01)