Snort mailing list archives
Re: Incident Identification (data in TCP syn packet)
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 26 Dec 2001 16:46:55 -0500
I've been seeing a similar kind of thing come in on one of the networks I snort. They always come in from a pair of what seems to be dns servers for an company in the .ie domain (based on doing a reverse dns on the source IPs, which may or may not be trustworthy).
The two source machines have pretty widely spaced IP addresses, only one of which is in the RIPE 212.*.*.* block, but they reverse DNS as 3dns-1.foo.ie and 3dns-2.foo.ie which would imply a pair of DNS servers serving the same company (foo is a fictitious name to protect the innocent, albeit a bit unusual).
This happens about every other day and both machines run at the same time. First one fires off a series three of these odd syn packets, then the other (source port and ID incrementing with each packet from the same server). This is somewhat consistent with a pair of DNS servers one fails, then the next tries. It strikes me as strange to use tcp for name lookup from one server to another however.
Since the syn packet contains nothing but null bytes I'm not too worried about them. It strikes me as something more likely generated by an broken, misbehaved, or strangely written DNS package than any kind of attack or trojan.
A sample packet:XX.XX.XX.XX is 3dns-n.foo.ie, YY.YY.YY.YY is a DNS server within the network being watched by snort.
12/21-06:49:16.021914 XX.XX.XX.XX:46528 -> YY.YY.YY.YY:53 PROTO006 TTL:40 TOS:0x0 ID:1 IpLen:20 DgmLen:64 ******S* Seq: 0x8D6EA89E Ack: 0xD156885C Win: 0x800 TcpLen: 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 ........ At 09:34 PM 12/23/2001 -0500, Frank Reid wrote:
I'm seeing a pattern of these alerts against a few hosts (destination port
tcp 53) and, it appears, a payload of nulls. Does anyone know whether these
occur benignly or whether they're associated with some probe. Is it
possible they're trying to co-opt DNS services to tunnel through a stateful
inspection firewall? Thanks!
Frank
BAD TRAFFIC data in TCP SYN packet
IPv4: A.B.C.D-> W.X.Y.Z
hlen=5 TOS=0 dlen=64 ID=13603 flags=0 offset=0 TTL=244 chksum=18433
TCP: port=2402 -> dport: 53 flags=******S* seq=2027431866
ack=0 off=5 res=0 win=2048 urp=0 chksum=46093
Payload: length = 24
000 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
010 : 00 00 00 00 00 00 00 00 ........
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: SNORT DROPPING PACKETS, (continued)
- RE: SNORT DROPPING PACKETS Greg Herlein (Dec 23)
- RE: SNORT DROPPING PACKETS Crow, Owen (Dec 23)
- Re: SNORT DROPPING PACKETS Chris Green (Dec 23)
- Re: SNORT DROPPING PACKETS Phil Wood (Dec 23)
- Incident Identification Frank Reid (Dec 23)
- Re: Incident Identification Phil Wood (Dec 23)
- same SRC/DST James (Dec 24)
- Re: same SRC/DST Kyle R Maxwell (Dec 25)
- Re: same SRC/DST James (Dec 25)
- Re: same SRC/DST Ashley Thomas (Dec 25)
- Re: Incident Identification (data in TCP syn packet) Matt Kettler (Dec 26)
- Re: Incident Identification (data in TCP syn packet) james (Dec 26)
- I want to dump full packets, but just for one rule james (Dec 26)
- Re: SNORT DROPPING PACKETS Phil Wood (Dec 23)