Re: unusual UDP probes

[T_Esting () EXCITE COM (T.Esting)]

  Ron -

  I have timestamps in the logs, but I do not get log bodies by default
(performance prohibitive for a high-speed link that gets as many blocked
packets as we do).  What I do know, assuming I'm interpreting the logs
correctly, is that packet bodies (including the 20-byte UDP header) have in
length between 63,87,122,232, and 237 bytes.

  Erick.

On Wed, 05 Jan 2000 12:19:27 -0800, Ron Gula wrote:

>  At 05:43 AM 1/5/00 -0800, you wrote:
>  >  For a couple of weeks now, we've had our eyes on a strange little UDP
>  >probe we've been getting.  It doesn't match any known signatures (based
on
>  >searching the whitehats.com arachNIDS database - which, by the way, is
quite
>  >nice - and other security sites and trojan lists).  The source port is
>  >always a low port (p <= 1024) and the destination is either 41763 or
55021,
>  >with 41763 being the more regular one.  It doesn't match the trin00 or
TFN
>  >profiles that have been posted, the volume is rather low (less than 10
>  >packets a day per source address), and the probes don't seem coordinated
>  >(though volume has picked up slightly since the new year).  Has anyone
else
>  >seen these in the wild or otherwise?  Any idea as to what might be
>  >generating it?
>
>  Could you post some payload contect of the UDP packets?
>
>  Ron Gula
>  Network Security Wizards

_______________________________________________________
Visit Excite Shopping at http://shopping.excite.com
 The fastest way to find your Holiday gift this season