Snort mailing list archives

RE: BAD TRAFFIC data in TCP SYN packet

From: "Keith Pachulski" <keithp () corp ptd net>
Date: Tue, 25 Feb 2003 10:25:20 -0500

bad rule

bad-traffic.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC data in TCP SYN packet"; flags:S; 
dsize:>6; reference:url,www.cert.org/incident_notes/IN-99-07.html; sid:526;  classtype:misc-activity; rev:4;)

the rule lacks the tcp ports noted in the cert advisory

-----Original Message-----
From: John York [mailto:YorkJ () brcc edu]
Sent: Tuesday, February 25, 2003 9:55 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] BAD TRAFFIC data in TCP SYN packet


I've been getting a lot of alerts on this the last few days.  There are
several source IP addresses, but they are all owned by either Nintendo
of America or an ISP in NC.  They are always directed at my public DNS
server's port 53.

[**] BAD TRAFFIC data in TCP SYN packet [**]
02/25-13:02:43.959890 x.x.x.x:8842 -> x.x.x.x:53
TCP TTL:47 TOS:0x0 ID:1 IpLen:20 DgmLen:64
******S* Seq: 0x6B3E9354  Ack: 0x2FB1103E  Win: 0x800  TcpLen: 20
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

The rule references a cert article on Trinoo and TFN, but the port
numbers don't match.  Does anyone know what this is?

Thanks
John

John York
Network Engineer
Blue Ridge Community College
P.O. Box 80/One College Lane
Weyers Cave, VA 24486
540.453.2255



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

BAD TRAFFIC data in TCP SYN packet John York (Feb 25)
- <Possible follow-ups>
- RE: BAD TRAFFIC data in TCP SYN packet Keith Pachulski (Feb 25)
  - Re: BAD TRAFFIC data in TCP SYN packet Phil Wood (Feb 25)
  - Re: BAD TRAFFIC data in TCP SYN packet Brian (Feb 26)
- BAD TRAFFIC data in TCP SYN packet Ron Shuck (Feb 25)
- RE: BAD TRAFFIC data in TCP SYN packet Coyle, Brian (Feb 25)
- RE: BAD TRAFFIC data in TCP SYN packet John York (Feb 25)
- RE: BAD TRAFFIC data in TCP SYN packet John York (Feb 25)