Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SV: BAD TRAFFIC data in TCP SYN packet

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 15 Jan 2002 16:40:40 -0500
Yes, what you say is true, but if you scroll down, not only are they invalid DNS packets, they are also TCP syn packets to port 53 which contain data. 

------------------------------------
digging deeper, it appears they are also using TCP:

20:30:15.070616 172.20.78.202.3000 > dns-server.53: S
1839760761:1839760825(64) win 2048
aaaa 0300 0000 0800 4500 0068 7985 0000
f406 9cb9 ac14 4eca c0a8 1004 0bb8 0035
6da8 8579 0000 0000 5002 0800 f842 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
-------------------------------


At 12:26 PM 1/15/2002 -0800, Dan Hollis wrote:

On Tue, 15 Jan 2002, Austad, Jay wrote:
> Here's a description of the probe from the help provided in the
> configuration interface for the 3dns units:
> DNS_DOT (DNS Dot)
> [...]
> DNS_REV (Reverse IP address lookup)
> [...]

The mysterious malformed packets described in incidents are neither of
these.

The f5 seems to be sending malformed DNS packets, and the DNS servers are
responding (correctly) with a format error.

Is this a bug or intentional on behalf of f5?

-Dan
--
[-] Omae no subete no kichi wa ore no mono da. [-]



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: