Snort mailing list archives
Re: snort_decoder: Short UDP packet, length field > payload length
From: "Bamm Visscher" <bamm.visscher () gmail com>
Date: Tue, 12 Sep 2006 16:14:01 -0600
Just to clarify how I came up with this. UDP PROTOCOL INFORMATION: Source Port: 37892 Destination Port: 0 Length: 4500 Checksum: 4500 That's the key. In a UDP header the first two bytes are the src port, second two bytes is the dst port and finally 2 bytes for the msg length (and an optional checksum). The dst port is "0", that means something is probably mangled. Both the length and checksum are 4500. The length is odd and the checksum just can't be right. I assume the dst port is actually 4500 and something got mangled. The hostname of tele-csvpn-gw-3-r.oracle.com. supports the conclusion that this is/was a IPSEC packet. The real question is if was mangled on the wire, by snort, or during the processing of the unified output. Ah, life as a packet monkey never gets old... ;) Bammkkkk On 9/12/06, Bamm Visscher <bamm.visscher () gmail com> wrote:
If I had to guess, I'd say you have a mangled IPSEC via UDP packet (normally associated w/port 4500). It'd be better if you had the actual packet (and any others belonging to the session) captured. Bammkkkk On 9/12/06, Eric Hines <eric.hines () appliedwatch com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Has anyone seen this type of traffic before? Its a UDP Header Length > Payload Length alert but whats odd is the UDP Length is being reported as 4500 bytes! But the packet is actually quite small and you see its not a fragment. The Source and Destination ports concern me along with who owns that IP address. Is this possibly related to Oracle in any way? Has anyone who runs Oracle seen this packet before? The IP owner information is below as well. IP Header HEX removed for privacy. - ------------- packet -------------- APPLIED WATCH EVENT INFORMATION: Alert ID: 6388082 Priority: 3 Timestamp: Tue Sep 12 10:22:46 CDT 2006 Signature ID : 97 Message: snort_decoder: Short UDP packet, length field > payload length IP HEADER INFORMATION: Ver: 4 Length: 108 Flags: 0 Checksum: 25081 Hlen: 5 ID: 1 TTL: 128 Source IP: XXX.XXX.XXX.XXX TOS: 0 Offset: 0 Proto: 17 Dest IP: 148.87.5.71 UDP PROTOCOL INFORMATION: Source Port: 37892 Destination Port: 0 Length: 4500 Checksum: 4500 PAYLOAD INFORMATION: 9404 0000 1194 1194 0054 0000 250f d5a6 .G.........T..%... 0000 0001 ee99 1554 273f 6db9 d50e 330c 8ae3 .......T'?m...3... e1e8 7a9c 1720 53cc 692a dcf1 c68e e3cd 231b ..z.. S.i*......#. 8699 782c 82b6 6573 ea9a ef43 2e19 9d62 5a14 ..x,..es...C...bZ. 6478 e43e 25b2 480e 1d4e e9c0 5787 ee1e fbfd dx.>%.H..N..W..... 148.87.5.71 is owned by Oracle it seems: - ----------------------- OrgName: Oracle Datenbanksysteme GmbH OrgID: ODG-3 Address: 500 Oracle Pkwy City: Redwood Shores StateProv: CA PostalCode: 94065 Country: US NetRange: 148.87.0.0 - 148.87.255.255 CIDR: 148.87.0.0/16 NetName: ORACLE-AT NetHandle: NET-148-87-0-0-1 Parent: NET-148-0-0-0-0 NetType: Direct Assignment NameServer: NS1.ORACLE.COM NameServer: NS4.ORACLE.COM Comment: RegDate: 1991-04-11 Updated: 2002-04-15 RTechHandle: JKD7-ARIN RTechName: Doyle, John K. RTechPhone: +1-650-506-2380 RTechEmail: john.doyle () oracle com - -- Best Regards, Eric S. Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - -------------------------------------------------- Eric S. Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - -------------------------------------------------- Email: eric.hines () appliedwatch com Address: 1095 Pingree Road Suite 221 Crystal Lake, IL 60014 Tel: (877) 262-7593 ext:327 Local: (847) 854-5831 Fax: (847) 854-5106 Web: http://www.appliedwatch.com - -------------------------------------------------- Security Management for the Open Source Enterprise -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFBysj1va6QYTV0EMRAkE+AJwLPG9ch0ZFDuW18aY6yUczIneimQCfSP9B IBagYj1HNpEVzIhfjREVeuk= =OODh -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- sguil - The Analyst Console for NSM http://sguil.sf.net
-- sguil - The Analyst Console for NSM http://sguil.sf.net ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort_decoder: Short UDP packet, length field > payload length Eric Hines (Sep 12)
- Re: snort_decoder: Short UDP packet, length field > payload length Bamm Visscher (Sep 12)
- Re: snort_decoder: Short UDP packet, length field > payload length Bamm Visscher (Sep 12)
- Re: snort_decoder: Short UDP packet, length field > payload length Bamm Visscher (Sep 12)
- Re: snort_decoder: Short UDP packet, length field > payload length Bamm Visscher (Sep 12)