Security Incidents mailing list archives
Re: {MERIT-INP} 7.0.1.0 -> 14.0.2.13
From: Valdis.Kletnieks () vt edu
Date: Fri, 22 Mar 2002 15:46:13 -0500
On Fri, 22 Mar 2002 10:29:56 PST, seren geti <serengeti () firstlinux net> said:
snort[1955]: [1:1321:4] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {MERIT-INP} 7.0.1.0 -> 14.0.2.13 I'll attach the packet that was captured. Because it froze the ServerIron and Snort is running off of a mirrored port, I only got the first packet. I'm not sure if there were more or not. I didn't find any evidence of this packet on other devices. I have many questions: What is the MERIT-INP protocol used for? All I've been able to find is that it's number 32. How would one of these get into my network, or what creates these?
My first guess would be a broken/jabbering transciever or other error. Also, look at the possibility that you missed start of a header, so the fields are all offset by a bit (this will require some hand-decoding of packets). Look for something that's a valid IP header either forward or back of where it's "supposed" to be. Another possibility is a string of datagrams with undetected collisions. Look to see if all those segments that start off with 08 00 30 30... FF FF FF make sense as broadcat packets - 48 bits of the offendign station's MAC, followd by 48 bits of MAC broadcast... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
_bin
Description:
Current thread:
- {MERIT-INP} 7.0.1.0 -> 14.0.2.13 seren geti (Mar 22)
- Re: {MERIT-INP} 7.0.1.0 -> 14.0.2.13 Valdis . Kletnieks (Mar 22)