Snort mailing list archives

RE: Interesting traffic...

From: Mark Mason <mark.mason () grandecom com>
Date: Wed, 27 Feb 2002 15:29:07 -0600

Thanks, that helps. I probably should have also included the fact that my
network is comprised of WANs and VLANS. My central router that most traffic
has to go through is set up to drop packets from the 127.0.0.0 network.
"access-list 101 deny   ip 127.0.0.0 0.255.255.255 any"
Most traffic on my network has to go through the router, unless it is on the
same VLAN as the router, but the only thing on that VLAN is network
equipment. So while it does appear to be generated internally, I am confused
as to how it even got to my firewall (where snort is looking at). 

-----Original Message-----
From: Scott Taylor [mailto:scottt () soccer com]
Sent: Tuesday, February 26, 2002 6:28 PM
To: Mark Mason
Subject: Re: [Snort-users] Interesting traffic...


with the TcpLen: 40 (which is the packet length) 
and the mss set which adds 4bytes to the packet 
your minimum packet length should be 44. So it 
looks like it isn't a valid packet. It's crafted 
or custom. Also and two nop's in the tcp header  
would lead me to believe it's comming from a 
2000 host? I'm just learning this stuff so don't 
take it as gospel. You should find out where 
that's comming from. What's weird is the 1 nop 
in the ip options portion......

Hopefully someone here will have a better light 
to shine on this one.

Cheers, 
Scott

[**] [1:528:2] BAD TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] 
[Priority: 2]
02/26-11:25:30.667238 127.0.0.1:15158 -> 
xxx.xxx.xxx.xxx:6473
TCP TTL:63 TOS:0x0 ID:9155 IpLen:28 DgmLen:68 DF
IP Options (2) => LSRR NOP 
******S* Seq: 0x1BE3F7DA  Ack: 0x0  Win: 
0xFFFF  TcpLen: 40
TCP Options (6) => MSS: 16344 NOP WS: 1 NOP NOP 
TS: 281854 0 

[**] [1:528:2] BAD TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] 
[Priority: 2]
02/26-11:25:33.657238 127.0.0.1:15158 -> 
xxx.xxx.xxx.xxx:6473
TCP TTL:63 TOS:0x0 ID:9156 IpLen:28 DgmLen:68 DF
IP Options (2) => LSRR NOP 
******S* Seq: 0x1BE3F7DA  Ack: 0x0  Win: 
0xFFFF  TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP 
TS: 282154 0 

[**] [1:528:2] BAD TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] 
[Priority: 2]
02/26-11:25:36.657238 127.0.0.1:15158 -> 
xxx.xxx.xxx.xxx:6473
TCP TTL:63 TOS:0x0 ID:9157 IpLen:28 DgmLen:68 DF
IP Options (2) => LSRR NOP 
******S* Seq: 0x1BE3F7DA  Ack: 0x0  Win: 
0xFFFF  TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP 
TS: 282454 0 





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or 
unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snor
t-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?
list=snort-users


---- End Original Message ----



THERE IS ONLY ONE... 
SOCCER.COM, The Center of the Soccer Universe
http://www.soccer.com

<<application/ms-tnef>>

Current thread:

Interesting traffic... Mark Mason (Feb 26)
- Re: Interesting traffic... Ashley Thomas (Feb 26)
- Re: Interesting traffic... Jason Haar (Feb 26)
  - Re: Interesting traffic... Ashley Thomas (Feb 26)
    - Re: Interesting traffic... Jason Haar (Feb 26)
- <Possible follow-ups>
- Re: Interesting traffic... Scott Taylor (Feb 26)
- RE: Interesting traffic... Mark Mason (Feb 27)