Snort mailing list archives

Previous By Date Next
Previous By Thread Next

What's going on here? Mstream analysis...

From: JSeddon () semtech com
Date: Mon, 13 Aug 2001 16:39:55 -0700
Hi all!
     I was hoping this newbie-analyst-wannabe could get some assistance in
figuring out what snort is telling me.  I received 48 packets that alerted
on snort similar to the one below.  The packets all look about the same (I
can forward the full dump if it helps) and all 48 arrived within about 90
seconds.  I'm running Version 1.8.1-beta7 (Build 66).  Here are my
questions:

1.  The rule is telling me that it detected traffic coming from the mstream
client (a.b.c.d) to my firewall (my.firewall.ip) destined for the mstream
handler.  This could be heading to some client on my internal network
hidden by NAT, I assume.  I'm assuming that the term mstream "client" and
mstream "agent" are the same (getting my mstream info from:
http://www.cert.org/incident_notes/IN-2000-05.html).  From what I
understand about mstream, the client (agent) has handlers coded into it
during compile time.  When the agent starts, it trys to announce itself to
all of the handlers that it was coded for.  I doubt that this traffic is
it, because the internal network is hidden by NAT.   If the handler is on
my internal network, there's no way that the agent could announce itself to
the internal IP address.  Also, I believe that the mstream announcement
traffic comes on UDP and these are all TCP:80 packets.  The other
possibility is that the firewall itself is running the handler.  However,
my firewall is running NT and I believe the mstream client runs on *nix.
So I conclude that this is not announcement traffic to a handler on my
network.  How am I doing so far?

2.  If this not the announcement of the client to the handler, then it
could be the handler echoing commands back to the handler.  There was
definitely data in the packets, I couldn't make anything of it, however.
Most examples of mstream traffic I've seen, however, aren't using common
ports.  On the other hand, the dude running the handler on my internal
network, may have set it to use port 80 so my firwall would forward it to
him.  Is there a way to make sense of the data in the packets?

3.  Does anyone have any other ideas on how to figure out what's happening?

Thanks!
James

[**] DDOS mstream client to handler [**]
08/13-08:12:47.743103 a.b.c.d:80 -> my.firewall.ip:12754
TCP TTL:61 TOS:0x0 ID:27309 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0xE37E6C1A  Ack: 0x57B1F  Win: 0x7D78  TcpLen: 20
48 54 54 50 2F 31 2E 30 20 32 30 30 20 4F 4B 0D  HTTP/1.0 200 OK.
0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 69  .Content-Type: i
6D 61 67 65 2F 67 69 66 0D 0A 43 6F 6E 74 65 6E  mage/gif..Conten
74 2D 4C 65 6E 67 74 68 3A 20 35 37 34 30 0D 0A  t-Length: 5740..
4C 61 73 74 2D 4D 6F 64 69 66 69 65 64 3A 20 46  Last-Modified: F
72 69 2C 20 31 35 20 41 70 72 20 31 39 39 34 20  ri, 15 Apr 1994
30 30 3A 30 30 3A 30 30 20 47 4D 54 0D 0A 45 78  00:00:00 GMT..Ex
70 69 72 65 73 3A 20 54 68 75 2C 20 31 35 20 41  pires: Thu, 15 A
70 72 20 32 30 31 30 20 32 30 3A 30 30 3A 30 30  pr 2010 20:00:00
20 47 4D 54 0D 0A 44 61 74 65 3A 20 4D 6F 6E 2C   GMT..Date: Mon,
20 31 33 20 41 75 67 20 32 30 30 31 20 31 35 3A   13 Aug 2001 15:
31 35 3A 34 38 20 47 4D 54 0D 0A 43 6F 6E 6E 65  15:48 GMT..Conne
63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76  ction: keep-aliv
65 0D 0A 0D 0A 47 49 46 38 39 61 7E 02 35 00 D5  e....GIF89a~.5..
27 00 00 00 00 00 00 FF 41 33 1C 4D 49 66 FF 00  '.......A3.MIf..
33 99 33 66 5D 66 33 99 44 AA CC 4D 00 66 66 99  3.3f]f3.D..M.ff.
99 66 66 99 76 2A 99 66 99 66 85 CC 65 99 66 CC  .ff.v*.f.f..e.f.
66 66 66 99 99 6B 99 99 99 99 66 94 99 99 D6 8E  fff..k....f.....
24 99 99 99 9E 9E 9E 99 99 F3 CE 99 8D 66 CC 99  $............f..
CE 99 D2 99 CC 99 33 FF F9 CC CC CC E3 CC 94 F9  ......3.........
DD 1E CC CC FF FF CC CC FF FF 00 CC FF CC CC FF  ................
FF FF FF CC FF FF FF FF FF FF 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 21 F9 04 01 00 00 27 00 2C 00 00 00 00 7E  ..!.....'.,....~
02 35 00 00 06 FF C0 93 70 48 2C 1A 8F C8 A4 72  .5......pH,....r
C9 6C 3A 9F D0 A8 74 4A AD 5A AF D8 AC 76 9B 25  .l:...tJ.Z...v.%
78 BD DC B0 78 4C 2E 9B CF E8 B4 7A CD 6E BB DF  x...xL.....z.n..
F0 EA 77 3E 8F DB EF F8 3C B1 E4 F1 94 F8 7F 7A  ..w>....<......z
82 83 84 85 86 87 49 74 8A 88 8C 8D 8E 42 7D 22  ......It.....B}"
18 93 7D 93 18 7C 8C 1D 1B 1B 7D 9B 1D 21 8D 20  ..}..|....}..!.
20 1A 20 21 17 A2 A0 7A 8A AB AC AB 8F AF 6D AD   . !...z......m.
60 86 25 1D 1E 12 12 B7 B9 1E A9 87 B5 1A 15 0C  `.%.............
1E 0C 15 1A 9F 8D 21 20 15 10 1E CB 15 A5 61 25  ......! ......a%
96 22 7D 7E D4 91 96 25 83 20 9C 10 DE 7D DE CC  ."}~...%. ...}..
10 1B 23 84 20 17 21 1A 17 EB A6 EB 1D EA 20 78  ..#. .!....... x
B2 F3 AE B0 F6 68 F3 15 15 83 B7 7D B8 B9 FF FC  .....h.....}....
79 28 D4 81 C1 24 06 08 87 21 3C 68 8C 50 07 7D  y(...$...!<h.P.}
1E C2 61 58 06 A1 42 C4 0A 1D B2 F8 C1 D0 C7 84  ..aX..B.........
C7 8F 20 2B 61 C2 13 B1 62 88 0E 23 40 8E F8 B4  .. +a...b..#@...
E1 5B 2F 3B ED 2E 74 00 01 D2 63 A9 73 EC EC D0  .[/;..t...c.s...
DB F9 E5 9E CF FF 44 3D A7 C8 D2 B7 2F 4F 88 80  ......D=..../O..
7F 6A 96 08 A1 2B 97 36 3C 21 10 1A 0C 11 A2 26  .j...+.6<!.....&
D5 82 09 F5 94 A0 58 A1 56 4D 13 9F 28 5E AA E2  ......X.VM..(^..
61 52 89 8F 95 2C 51 F2 F0 51 1A C7 38 9A 3C 6C  aR...,Q..Q..8.<l
E8 A0 72 65 CA 8F 23 38 CD BD 73 C1 03 29 90 A2  ..re..#8..s..)..
02 03 3E 79 21 0E 4F 9E FA 7E 9E 38 4C E0 0E E3  ..>y!.O..~.8L...
59 4B 86 26 BE 53 62 17 5D 8F 1D 6C 69 BE 0C D6  YK.&.Sb.]..li...
5F C6 38 21 2A 4C D2 F0 F1 A4 31 63 9C 3B 70 64  _.8!*L....1c.;pd
F0 39 0E C4 0B 24 3E CE 9C CD 19 84 AD 8A 53 DC  .9...$>.......S.
B2 35 51 56 AD 6F 4A 1E F9 8C 75 D3 12 42 55 13  .5QV.oJ...u..BU.
2B 37 29 5F 7E D7 44 CB 0D 70 70 D2 B4 B9 AE BA  +7)_~.D..pp.....
F5 E9 26 A4 BB 26 8A 98 A8 F7 C9 3E 19 C3 79 BC  ..&..&.....>..y.
48 89 E4 A2 70 71 ED B6 F5 EF DF 02 F5 97 3B A8  H...pq........;.
87 83 95 B4 47 0D 52 F3 23 34 86 79 3F 1C 12 CE  ....G.R.#4.y?...
C8 16 CE 80 DE 44 70 D9 56 B8 41 E1 C7 6E BD FD  .....Dp.V.A..n..
E6 20 47 C1 F5 D1 46 44 1B 78 94 D7 72 18 2E 77  . G...FD.x..r..w
99 32 7E B4 D1 FF CE 74 D6 85 18 E2 74 E7 1C F3  .2~....t....t...
C6 77 FA D0 83 22 51 44 90 57 9E 1A E2 C5 E2 62  .w..."QD.W.....b
3D 47 B4 C2 22 4C 18 48 40 D7 56 ED 19 80 8B 00  =G.."L.H@.V.....
ED E1 72 56 65 12 B6 21 0D 6B F7 E9 A7 A4 54 55  ..rVe..!.k....TU
85 F6 96 91 18 40 70 81 4D 04 56 19 CE 65 17 58  .....@p.M.V..e.X
F4 14 13 D2 30 F8 E0 97 10 F2 F6 64 1A 9C C4 B7  ....0......d....
9C 03 68 A6 99 A6 3E 9B 78 C4 14 74 6B D8 B6 1B  ..h...>.x..tk...
4E 22 D6 B9 CE 74 A6 C4 E3 C6 8A 15 A8 B8 62 8B  N"...t........b.
33 06 E5 C4 8C 80 EE 74 63 1A 81 B2 82 84 8D E0  3......tc.......
BD 21 DF 7A 41 4A B0 80 01 02 00 19 29 83 B9 B0  .!.zAJ......)...
11 15 2F 60 1D 60 90 06 F8 2D 99 9F 7D 51 69 D0  ../`.`...-..}Qi.
06 33 74 01 38 60 02 09 0C E0 EA AB AC 7A 53 41  .3t.8`.......zSA
6C A1 41 D0 84 5B 1E 61 10 D8 AE BC F6 BA AB 98  l.A..[.a........
6A 74 30 8E 47 9B 8C 30 42 05 0E 3C 63 5B 66 CC  jt0.G..0B..<c[f.
3E 94 6C 85 D9 8D B3 C6 3A D4 D9 69 ED 29 1E AD  >.l.....:..i.)..
93 07 77 F3 44 96 68 63 4F 10 5A 84 77 8A A0 68  ..w.D.hcO.Z.w..h
5E B7 83 FA 89 FF 22 BA 45 30 8A 9E 1B 95 49 70  ^.....".E0....Ip
56 53 B7 18 60 C0 02 1C 61 20 C0 00 91 56 E0 11  VS..`...a ...V..
2E AD A1 81 10 5D 05 61 00 AA A8 4B FA 6B 42 30  .....].a...K.kB0
01 9F B1 0C 4D 24 54 A4 4F 02 0B 50 F0 C1 C5 18  ....M$T.O..P....
7F B0 80 AB 09 78 13 DB 05 09 2A D1 A5 98 20 D8  .....x....*... .
6B F2 C9 28 A7 4C D3 1F 5B 96 31 C2 B0 CE 91 33  k..(.L..[.1....3
82 01 15 C8 6C EC CD 37 67 36 80 03 D0 B6 D4 30  ....l..7g6.....0
19 D4 66 77 ED D0 34 9D 63 AA 1E 7D CA E2 6D A0  ..fw..4.c..}..m.
87 2E FD 98 11 E4 D2 61 AE 11 E4 39 BD 0A 9F EB  .......a...9....
2A DA 2E 2B 8D EE A9 23 6F EA D5 CB D1 1F 22 48  *..+...#o....."H
62 69 90 FE C6 DB 72 19 0C 77 6A B0 06 9E 22 AC  bi....r..wj...".
A4 BF 51 31 B0 36 19 C2 FA 1B F1 33 10 0C 60 71  ..Q1.6.....3..`q
C6 80 7F B0 6F C7 10 C4 B6 CC CF 7B F8 21 A6 AE  ....o......{.!..
06 70 F4 81 07 17 43 1E 78 C6 14 18 B0 32 06 68  .p....C.x....2.h
F4 91 52 B1 33 93 C3 F2 E7 9F 1B DB C1 CE D0 16  ..R.3...........
69 C6 49 45 CB E4 EB EA BE 76 F6 D2 1D 49 B7 C2  i.IE.....v...I..
04 B7 EA 7A                                      ...z

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: