Snort mailing list archives

Previous By Date Next
Previous By Thread Next

More on the "BAD TRAFFIC udp port 0" front

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 7 May 2002 15:41:41 +1200
I'm now sure this is fragmentation related...

We're getting this snort alert quite often, so I ran up tcpdump and captured
packets from one of the hosts that appeared to be generating such events.

What I'm seeing is that when snort says "BAD TRAFFIC udp port 0", I see a
fragment. The remote host in question is an Active Directory controller
trying to talk to our Active Directory controller. It uses Kerberos over
NetBIOS and the packets are indeed big enough to cause fragmentation - esp.
as we run our WAN over IPSec tunnels (MTU: 1460).

It looks like snorts defrag preprocessor isn't assosiating these packets
with the rest of the session? I have tried "frag2" and "defrag" - neither
makes any difference. Trying "defrag2" makes snort-1.8.6 return:

*WARNING*: unknown preprocessor "defrag2", ignoring

- so something's amiss there!

Anyway, even though I can time-correlate tcpdump seeing a fragment with
snort forming an alert, if I feed the tcpdump capture back into snort - it
doesn't trigger an alert...

--- SNORT ALERT -----
grep " snort: " /var/adm/messages |grep BAD|grep 11:33:54
May  6 11:33:54 ids snort: [1:525:4] BAD TRAFFIC udp port 0 traffic
[Classification: Misc activity] [Priority: 3]: <eth2> {UDP} 5.6.7.8:0
-> 1.2.3.4:0

----------------------


------- TCPDUMP -------------
tcpdump -n -r /tmp/tcp.log -l|grep 11:33:54
11:33:54.827850 5.6.7.8 > 1.2.3.4: (frag 43822:11@1416)
11:33:54.851794 5.6.7.8.53032 > 1.2.3.4.kerberos:  (frag 43822:1416@0+)
11:33:54.860379 1.2.3.4.kerberos > 5.6.7.8.53032: 

--------------------------

Any ideas, I still have the tcpdump trace if anyone's interested...

-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: