Snort mailing list archives

RE: Curious "Tagged Packet" alerts in ACID

From: "Eric Hines" <eric.hines () appliedwatch com>
Date: Sat, 1 Jan 2005 13:15:10 -0600

Jeff,

If you are wondering what generated the packet, it originally looked like
IRC traffic to me but the strange thing is, its not using the standard IRC
port, its using port 7012. The chat channel is #english. It's a response
packet.

64.12.165.56 port: 7012
-irc-m08.icq.aol.com- *** Looking up your hostname...

A google search pulled up a few things, namely IrCQ.. I figured it had to do
with ICQ from the AOL hostname and a regular IRC client can't seem to
connect to it -- but I do get an IDENT request.. 

Unfortunately, I stopped using ICQ a few years ago so can't say I know too
much about IrCQ.. Perhaps an IRC-type server for ICQ users?

Check out:
http://trout.snt.utwente.nl/ubbthreads/showflat.php?Cat=&Board=scriptsandpop
ups&Number=77917&page=4&view=expanded&sb=3&o=&fpart= and do a search for
7012

Also, the reason ACID may have flagged it is it may see it as IRC traffic
over a non-standard port.. 

This is just my 2 cents, good luck researching.



Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, Inc.


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Eric Hines, GCIA, CISSP                Toll Free: (877) 262-7593
CEO, President                         Direct: (877) 262-7593 x327
Applied Watch Technologies, Inc.       Fax: (877) 262-7593
1134 N. Main St.                       Web: www.appliedwatch.com
Algonquin, IL 60102 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
"Browserless Enterprise Snort Management is Finally Here"
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

-----Original Message-----
From: Jeff Kell [mailto:jeff-kell () utc edu] 
Sent: Friday, December 31, 2004 7:45 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Curious "Tagged Packet" alerts in ACID

I am getting a rather high (top 5) number of alerts showing up in ACID
displaying as simply "Tagged Packet" and having an sid=1, e.g.:

[snort] Tagged Packet   unclassified   7118 (24%)   1   2   2   2004-12-31

18:02:59   2004-12-31 19:27:17    

The URL given for reference is simply:
    http://www.snort.org/snort-db/sid.html?sid=1

Here is a sample whole formatted alert:

Generated by ACID v0.9.6b23 on Fri, 31 Dec 2004 20:34:30 -0500

----------------------------------------------------------------------
--------
#(1 - 805067) [2004-12-31 18:47:28] [snort/1]  Tagged Packet
IPv4: 64.12.165.56 -> 172.17.128.101
      hlen=5 TOS=0 dlen=152 ID=47551 flags=0 offset=0 TTL=51 
chksum=31717
TCP:  port=7012 -> dport: 4618  flags=***AP*** seq=1474874013
      ack=1336104986 off=5 res=0 win=5840 urp=0 chksum=2798
Payload:  length = 112

000 : 3A 4C 6F 75 69 73 61 21 4C 6F 75 69 73 61 40 43   :Louisa!Louisa@C
010 : 42 35 45 36 43 30 30 2E 38 33 42 30 31 38 37 31   B5E6C00.83B01871
020 : 2E 42 36 44 45 36 36 34 39 2E 49 50 20 50 52 49   .B6DE6649.IP PRI
030 : 56 4D 53 47 20 23 65 6E 67 6C 69 73 68 20 3A 6E   VMSG #english :n
040 : 6F 62 6F 64 79 20 77 69 6C 6C 20 67 6F 20 6F 75   obody will go ou
050 : 74 20 74 6F 20 63 65 6C 65 62 72 61 74 65 20 74   t to celebrate t
060 : 68 65 20 6E 65 77 20 79 65 61 72 3F 3F 0D 0A 00   he new year??...


Where is this coming from?  I can't find a rule, only a mapping:

[root@aardvark snort]# grep Tagged ./*
./gen-msg.map:2 || 1 || tag: Tagged Packet


This is snort 2.2.0 Build 30 with freshly oinkmaster'ed rulesets from:

    www.snort.org/dl/rules/snortrules-stable.tar.gz and
    www.bleedingsnort.com/bleeding.rules.tar.gz

These seemed to start about the time I added the bleedingsnort rules, but
this may just be a coincidence.

Jeff


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE
limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Curious "Tagged Packet" alerts in ACID Jeff Kell (Dec 31)
- RE: Curious "Tagged Packet" alerts in ACID Joe Patterson (Dec 31)
- RE: Curious "Tagged Packet" alerts in ACID Eric Hines (Jan 01)
- Re: Curious "Tagged Packet" alerts in ACID Frank Knobbe (Jan 01)