Snort mailing list archives
BAD TRAFFIC data in TCP SYN packet
From: "Ron Shuck" <rshuck () Buchanan com>
Date: Tue, 25 Feb 2003 12:14:09 -0600
Hi, I have been seeing a lot of this as well. I have five different sources. It is very annoying. It all has a destination of 53/tcp. Maybe, this is some form of broken DNS. But it is a SYN and TCP so that would indicate a zone transfer request, or DNS exploit. However, it does not appear to be malicious. Ron Shuck, CISSP - Managing Consultant Buchanan Associates - A Technology Company in the People Business http://www.buchanan.com http://www.isc2.org Message: 1 Date: Tue, 25 Feb 2003 09:54:41 -0500 From: "John York" <YorkJ () brcc edu> To: <snort-users () lists sourceforge net> Subject: [Snort-users] BAD TRAFFIC data in TCP SYN packet I've been getting a lot of alerts on this the last few days. There are several source IP addresses, but they are all owned by either Nintendo of America or an ISP in NC. They are always directed at my public DNS server's port 53. [**] BAD TRAFFIC data in TCP SYN packet [**] 02/25-13:02:43.959890 x.x.x.x:8842 -> x.x.x.x:53 TCP TTL:47 TOS:0x0 ID:1 IpLen:20 DgmLen:64 ******S* Seq: 0x6B3E9354 Ack: 0x2FB1103E Win: 0x800 TcpLen: 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 ........ =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+ =3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+ =3D+ The rule references a cert article on Trinoo and TFN, but the port numbers don't match. Does anyone know what this is? Thanks John John York Network Engineer Blue Ridge Community College P.O. Box 80/One College Lane Weyers Cave, VA 24486 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BAD TRAFFIC data in TCP SYN packet John York (Feb 25)
- <Possible follow-ups>
- RE: BAD TRAFFIC data in TCP SYN packet Keith Pachulski (Feb 25)
- Re: BAD TRAFFIC data in TCP SYN packet Phil Wood (Feb 25)
- Re: BAD TRAFFIC data in TCP SYN packet Brian (Feb 26)
- BAD TRAFFIC data in TCP SYN packet Ron Shuck (Feb 25)
- RE: BAD TRAFFIC data in TCP SYN packet Coyle, Brian (Feb 25)
- RE: BAD TRAFFIC data in TCP SYN packet John York (Feb 25)
- RE: BAD TRAFFIC data in TCP SYN packet John York (Feb 25)