Snort mailing list archives

Re: Calling all packet monkeys

From: SN ORT <snort_on_acid () yahoo com>
Date: Wed, 23 Mar 2005 07:00:59 -0800 (PST)

Hehe ..."someone brought in a laptop with a foreign
IP"    now there would be a sight to see, plugging in
your own IP and then expecting it to route back in... 

OK, so Hi Paul in Dallas. I suspect that the TCP
session may have been started by an internal host that
was src: 161, dst: 135 and that the return traffic is
the answer to an established session over port 135,
and that your ACL allows established sessions first? 

Just making sure, is the snmp traffic blocked at both
UDP and TCP? Hope this helps..


Cheese!

Marc

--__--__--

Message: 2
Date: Tue, 22 Mar 2005 16:21:54 -0600
From: Paul Schmehl <pauls () utdallas edu>
Reply-To: Paul Schmehl <pauls () utdallas edu>
To: snort-users () lists sourceforge net
Subject: [Snort-users] Calling all packet monkeys

Setting aside the fact that we have a default deny
policy on inbound 
traffic and the fact that I have confirmed that we
*explicitly* do not 
allow traffic to port 161 (snmp), I am seeing some
really strange traffic.

The alert being tripped is:
alert tcp $EXTERNAL_NET any -> $HOME_NET 161
(msg:"SNMP request tcp"; 
flow:stateless; reference:bugtraq,4088;
reference:bugtraq,4089; 
reference:bugtraq,4132; reference:cve,2002-0012;
reference:cve,2002-0013; 
classtype:attempted-recon; sid:1418; rev:11;)

src host is a foreign address
src port is 135 ?!?!
dst host is an RFC1918 address
dst port is 161

Every one of the 38 packets has the ACK and RST
flags set.

Payload is:
length = 20

000 : 00 00 00 00 50 10 02 00 00 00 00 00 00 00 00
00   ....P...........
010 : 00 00 00 00                                   
   ....

Anyone have any idea what this might be?

(much less how it could happen?)  I can only think
of two possibilities; 
either a NAT address that's "opened a hole" or a
spoofed src host.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 


-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Calling all packet monkeys Paul Schmehl (Mar 22)
- <Possible follow-ups>
- RE: Calling all packet monkeys Briggs, Bruce (Mar 22)
  - Re: Calling all packet monkeys Jeff Kell (Mar 22)
  - RE: Calling all packet monkeys Paul Schmehl (Mar 23)
- Re: Calling all packet monkeys SN ORT (Mar 23)
  - Re: Calling all packet monkeys Paul Schmehl (Mar 23)