Snort mailing list archives
RE: Curious "Tagged Packet" alerts in ACID
From: "Eric Hines" <eric.hines () appliedwatch com>
Date: Sat, 1 Jan 2005 13:15:10 -0600
Jeff, If you are wondering what generated the packet, it originally looked like IRC traffic to me but the strange thing is, its not using the standard IRC port, its using port 7012. The chat channel is #english. It's a response packet. 64.12.165.56 port: 7012 -irc-m08.icq.aol.com- *** Looking up your hostname... A google search pulled up a few things, namely IrCQ.. I figured it had to do with ICQ from the AOL hostname and a regular IRC client can't seem to connect to it -- but I do get an IDENT request.. Unfortunately, I stopped using ICQ a few years ago so can't say I know too much about IrCQ.. Perhaps an IRC-type server for ICQ users? Check out: http://trout.snt.utwente.nl/ubbthreads/showflat.php?Cat=&Board=scriptsandpop ups&Number=77917&page=4&view=expanded&sb=3&o=&fpart= and do a search for 7012 Also, the reason ACID may have flagged it is it may see it as IRC traffic over a non-standard port.. This is just my 2 cents, good luck researching. Regards, Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, Inc. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Eric Hines, GCIA, CISSP Toll Free: (877) 262-7593 CEO, President Direct: (877) 262-7593 x327 Applied Watch Technologies, Inc. Fax: (877) 262-7593 1134 N. Main St. Web: www.appliedwatch.com Algonquin, IL 60102 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "Browserless Enterprise Snort Management is Finally Here" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -----Original Message----- From: Jeff Kell [mailto:jeff-kell () utc edu] Sent: Friday, December 31, 2004 7:45 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Curious "Tagged Packet" alerts in ACID I am getting a rather high (top 5) number of alerts showing up in ACID displaying as simply "Tagged Packet" and having an sid=1, e.g.:
[snort] Tagged Packet unclassified 7118 (24%) 1 2 2 2004-12-31
18:02:59 2004-12-31 19:27:17 The URL given for reference is simply: http://www.snort.org/snort-db/sid.html?sid=1 Here is a sample whole formatted alert:
Generated by ACID v0.9.6b23 on Fri, 31 Dec 2004 20:34:30 -0500 ---------------------------------------------------------------------- -------- #(1 - 805067) [2004-12-31 18:47:28] [snort/1] Tagged Packet IPv4: 64.12.165.56 -> 172.17.128.101 hlen=5 TOS=0 dlen=152 ID=47551 flags=0 offset=0 TTL=51 chksum=31717 TCP: port=7012 -> dport: 4618 flags=***AP*** seq=1474874013 ack=1336104986 off=5 res=0 win=5840 urp=0 chksum=2798 Payload: length = 112 000 : 3A 4C 6F 75 69 73 61 21 4C 6F 75 69 73 61 40 43 :Louisa!Louisa@C 010 : 42 35 45 36 43 30 30 2E 38 33 42 30 31 38 37 31 B5E6C00.83B01871 020 : 2E 42 36 44 45 36 36 34 39 2E 49 50 20 50 52 49 .B6DE6649.IP PRI 030 : 56 4D 53 47 20 23 65 6E 67 6C 69 73 68 20 3A 6E VMSG #english :n 040 : 6F 62 6F 64 79 20 77 69 6C 6C 20 67 6F 20 6F 75 obody will go ou 050 : 74 20 74 6F 20 63 65 6C 65 62 72 61 74 65 20 74 t to celebrate t 060 : 68 65 20 6E 65 77 20 79 65 61 72 3F 3F 0D 0A 00 he new year??...
Where is this coming from? I can't find a rule, only a mapping:
[root@aardvark snort]# grep Tagged ./* ./gen-msg.map:2 || 1 || tag: Tagged Packet
This is snort 2.2.0 Build 30 with freshly oinkmaster'ed rulesets from: www.snort.org/dl/rules/snortrules-stable.tar.gz and www.bleedingsnort.com/bleeding.rules.tar.gz These seemed to start about the time I added the bleedingsnort rules, but this may just be a coincidence. Jeff ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Curious "Tagged Packet" alerts in ACID Jeff Kell (Dec 31)
- RE: Curious "Tagged Packet" alerts in ACID Joe Patterson (Dec 31)
- RE: Curious "Tagged Packet" alerts in ACID Eric Hines (Jan 01)
- Re: Curious "Tagged Packet" alerts in ACID Frank Knobbe (Jan 01)