Snort mailing list archives
Calling all packet monkeys
From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 22 Mar 2005 16:21:54 -0600
Setting aside the fact that we have a default deny policy on inbound traffic and the fact that I have confirmed that we *explicitly* do not allow traffic to port 161 (snmp), I am seeing some really strange traffic.
The alert being tripped is:alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:11;)
src host is a foreign address src port is 135 ?!?! dst host is an RFC1918 address dst port is 161 Every one of the 38 packets has the ACK and RST flags set. Payload is: length = 20 000 : 00 00 00 00 50 10 02 00 00 00 00 00 00 00 00 00 ....P........... 010 : 00 00 00 00 .... Anyone have any idea what this might be?(much less how it could happen?) I can only think of two possibilities; either a NAT address that's "opened a hole" or a spoofed src host.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This SF.net email is sponsored by: 2005 Windows Mobile Application Contest Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones for the chance to win $25,000 and application distribution. Enter today at http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Calling all packet monkeys Paul Schmehl (Mar 22)
- <Possible follow-ups>
- RE: Calling all packet monkeys Briggs, Bruce (Mar 22)
- Re: Calling all packet monkeys Jeff Kell (Mar 22)
- RE: Calling all packet monkeys Paul Schmehl (Mar 23)
- Re: Calling all packet monkeys SN ORT (Mar 23)
- Re: Calling all packet monkeys Paul Schmehl (Mar 23)