snort_decoder: Short UDP packet, length field > payload length

[Eric Hines <eric.hines () appliedwatch com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Has anyone seen this type of traffic before? Its a UDP Header Length >
Payload Length alert but whats odd is the UDP Length is being reported
as 4500 bytes! But the packet is actually quite small and you see its
not a fragment. The Source and Destination ports concern me along with
who owns that IP address. Is this possibly related to Oracle in any way?
Has anyone who runs Oracle seen this packet before? The IP owner
information is below as well.

IP Header HEX removed for privacy.

- ------------- packet --------------

APPLIED WATCH EVENT INFORMATION:
Alert ID: 6388082
Priority: 3
Timestamp: Tue Sep 12 10:22:46 CDT 2006
Signature ID : 97
Message: snort_decoder: Short UDP packet, length field > payload length

IP HEADER INFORMATION:
Ver: 4
Length: 108
Flags: 0
Checksum: 25081
Hlen: 5
ID: 1
TTL: 128
Source IP: XXX.XXX.XXX.XXX
TOS: 0
Offset: 0
Proto: 17
Dest IP: 148.87.5.71

UDP PROTOCOL INFORMATION:
Source Port: 37892
Destination Port: 0
Length: 4500
Checksum: 4500

PAYLOAD INFORMATION:
9404 0000 1194 1194 0054 0000 250f d5a6         .G.........T..%...
0000 0001 ee99 1554 273f 6db9 d50e 330c 8ae3    .......T'?m...3...
e1e8 7a9c 1720 53cc 692a dcf1 c68e e3cd 231b    ..z.. S.i*......#.
8699 782c 82b6 6573 ea9a ef43 2e19 9d62 5a14    ..x,..es...C...bZ.
6478 e43e 25b2 480e 1d4e e9c0 5787 ee1e fbfd    dx.>%.H..N..W.....


148.87.5.71 is owned by Oracle it seems:
- -----------------------
OrgName:    Oracle Datenbanksysteme GmbH
OrgID:      ODG-3
Address:    500 Oracle Pkwy
City:       Redwood Shores
StateProv:  CA
PostalCode: 94065
Country:    US

NetRange:   148.87.0.0 - 148.87.255.255
CIDR:       148.87.0.0/16
NetName:    ORACLE-AT
NetHandle:  NET-148-87-0-0-1
Parent:     NET-148-0-0-0-0
NetType:    Direct Assignment
NameServer: NS1.ORACLE.COM
NameServer: NS4.ORACLE.COM
Comment:
RegDate:    1991-04-11
Updated:    2002-04-15

RTechHandle: JKD7-ARIN
RTechName:   Doyle, John K.
RTechPhone:  +1-650-506-2380
RTechEmail:  john.doyle () oracle com

- --

Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


- --------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

- --------------------------------------------------

Email:   eric.hines () appliedwatch com
Address: 1095 Pingree Road
         Suite 221
         Crystal Lake, IL
         60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

- --------------------------------------------------
Security Management for the Open Source Enterprise



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFBysj1va6QYTV0EMRAkE+AJwLPG9ch0ZFDuW18aY6yUczIneimQCfSP9B
IBagYj1HNpEVzIhfjREVeuk=
=OODh
-----END PGP SIGNATURE-----

Attachment: eric.hines.vcf
Description:

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users