Re: Help! Very wierd traffic.

[Matt Kettler <mkettler () evi-inc com>]

If I had to guess, I'd suspect some kind of peer-to-peer file swapper, 
using source ports that are commonly passed by firewalls

OR

Someone's trying to see if you have an DNS server on 
xxx.xxx.xxx.xxx,  again, by using source ports that are commonly passed. 
Not sure what the UDP packet is for in this case however.. possibly as an 
alternative to icmp echo for a "ping". Presumably the reason to see if you 
have a TCP connectable DNS server is to try to exploit it.




At 07:30 PM 2/19/2003 +0200, Yonah Russ wrote:
> Hi,
>   I am getting some very wierd traffic from a network. It shows up in
> snort as NMAP TCP Scans and MISC source port 53 < 1024 alerts but there
> really seems to be a whole conversation- I can't figure out what the
> conversation is about though- it doesn't match any protocol in ethereal.
>
>   Here is a dump of the traffic- any ideas?
>
>
> 02/19-16:39:34.375895 212.25.105.34:55 -> xxx.xxx.xxx.xxx:37852
> UDP TTL:55 TOS:0x0 ID:46272 IpLen:20 DgmLen:38
> Len: 18
> 00 00 00 00 00 00 00 00 00 00                    ..........
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 02/19-16:39:34.376092 xxx.xxx.xxx.xxx -> 212.25.105.34
> ICMP TTL:255 TOS:0x0 ID:27737 IpLen:20 DgmLen:66 DF
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 212.25.105.34:55 -> xxx.xxx.xxx.xxx:37852
> UDP TTL:55 TOS:0x0 ID:46272 IpLen:20 DgmLen:38
> Len: 18
> ** END OF DUMP
> 45 00 00 26 B4 C0 00 00 37 11 FD 25 D4 19 69 22  E..&....7..%..i"
> 93 A1 01 04 00 37 93 DC 00 12 99 D5 00 00 00 00  .....7..........
> 00 00 00 00 00 00                                ......
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 02/19-16:39:34.376328 212.25.105.34:80 -> xxx.xxx.xxx.xxx:53
> TCP TTL:55 TOS:0x0 ID:46274 IpLen:20 DgmLen:40
> ***A**** Seq: 0x38A  Ack: 0x0  Win: 0x578  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 02/19-16:39:34.376424 xxx.xxx.xxx.xxx:53 -> 212.25.105.34:80
> TCP TTL:64 TOS:0x0 ID:27738 IpLen:20 DgmLen:40 DF
> *****R** Seq: 0x0  Ack: 0x0  Win: 0x0  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 02/19-16:39:34.376758 212.25.105.34:53 -> xxx.xxx.xxx.xxx:53
> TCP TTL:55 TOS:0x0 ID:46275 IpLen:20 DgmLen:40
> ******S* Seq: 0x4EB90C61  Ack: 0x0  Win: 0x578  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 02/19-16:39:34.376926 xxx.xxx.xxx.xxx:53 -> 212.25.105.34:53
> TCP TTL:64 TOS:0x0 ID:27739 IpLen:20 DgmLen:44 DF
> ***A**S* Seq: 0x78F6EB69  Ack: 0x4EB90C62  Win: 0xC0A0  TcpLen: 24
> TCP Options (1) => MSS: 1460
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 02/19-16:39:37.738097 xxx.xxx.xxx.xxx:53 -> 212.25.105.34:53
> TCP TTL:64 TOS:0x0 ID:27740 IpLen:20 DgmLen:44 DF
> ***A**S* Seq: 0x78F6EB69  Ack: 0x4EB90C62  Win: 0xC0A0  TcpLen: 24
> TCP Options (1) => MSS: 1460
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 02/19-16:39:39.372827 212.25.105.34:53 -> xxx.xxx.xxx.xxx:53
> TCP TTL:55 TOS:0x0 ID:46590 IpLen:20 DgmLen:40
> *****R** Seq: 0x4EB90C62  Ack: 0x0  Win: 0x578  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users