Snort mailing list archives
Anomalous packet logged by Snort
From: Bill McCarty <bmccarty () apu edu>
Date: Sun, 07 Apr 2002 11:05:36 -0700
Today, I noticed an FTP attack among my Snort alerts. I see such attacks every day or two and follow them up diligently. The only hosts on my network that run FTP are honeypots, so such attacks are never false positives. When I investigated, I found one rather odd packet.
Here's a tcpshow dump of the packet:
Packet 110 TIME: 06:35:00.865192IP: 62.254.50.140 -> xxx.xxx.xxx.xxx hlen=20 TOS=10 dgramlen=159
id=0000
MF/DF=0/0 frag=0 TTL=240 proto=TCP cksum=0000
TCP: port 2929 -> 21 seq=2905996287 ack=1728071789
hlen=20 (data=119) UAPRSF=011000 wnd=5840 cksum=0000 urg=0
DATA: QUIT.
xxx-xxxxxxPASS Dgpuser () home com.
CWD /pub/.
MKD 020407143116p.
CWD /public/.
CWD /pub/incoming/.
CWD /incoming/.
The packet has several unusual features. Prominent among them are the presence of the string xxx-xxxxxx, which I've obfuscated. The actual value of the string is the name of a sensitive host within my internal network. Since no externally visible DNS server knows the name of this host, the presence of this string concerns me.
But, I begin to suspect that the packet has not been correctly logged. For one thing, as I recall, the QUIT command should mark the end of an FTP session. And, I don't recall that the syntax of the FTP PASS command allows a host name in front of the PASS keyword. Also, I notice that the packet ID and checksum are both 0.
Q: Has anyone experienced badly logged packets? Or, is it more likely that the packet was correctly logged, despite possible evidence to the contrary?
Thanks! --------------------------------------------------- Bill McCarty _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Anomalous packet logged by Snort Bill McCarty (Apr 07)
- Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- Re: Anomalous packet logged by Snort Dan Hawrylkiw (Apr 14)
- Re: Anomalous packet logged by Snort Bill McCarty (Apr 07)
- Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- Re: Anomalous packet logged by Snort Bill McCarty (Apr 07)
- <Possible follow-ups>
- RE: Anomalous packet logged by Snort Hawrylkiw, Dan G (Apr 08)
- Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- RE: Anomalous packet logged by Snort Safka (Apr 14)