Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Calling all packet monkeys

From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Tue, 22 Mar 2005 20:57:02 -0500
Or someone brought in a laptop/foreign PC or a wireless device/wireless
PC which had a static IP addr from outside your organization. 

Bruce
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Paul
Schmehl
Sent: Tuesday, March 22, 2005 5:22 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Calling all packet monkeys

Setting aside the fact that we have a default deny policy on inbound
traffic and the fact that I have confirmed that we *explicitly* do not
allow traffic to port 161 (snmp), I am seeing some really strange
traffic.

The alert being tripped is:
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp";
flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089;
reference:bugtraq,4132; reference:cve,2002-0012;
reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:11;)

src host is a foreign address
src port is 135 ?!?!
dst host is an RFC1918 address
dst port is 161

Every one of the 38 packets has the ACK and RST flags set.

Payload is:
length = 20

000 : 00 00 00 00 50 10 02 00 00 00 00 00 00 00 00 00   ....P...........
010 : 00 00 00 00                                       ....

Anyone have any idea what this might be?

(much less how it could happen?)  I can only think of two possibilities;
either a NAT address that's "opened a hole" or a spoofed src host.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application
Contest Submit applications for Windows Mobile(tm)-based Pocket PCs or
Smartphones for the chance to win $25,000 and application distribution.
Enter today at http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_idh82&alloc_id148&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: