Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Uptick in protocol stack testing scans

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 23 Sep 2013 16:22:45 -0600
All,

I've been seeing an increase in protocol stack shadiness at several 
locations starting on Friday.  These appear to trickle in throughout the 
day usually one every 10 to 20 minutes with src/dst ports of 0.  Those 
running Cisco will see this type of jazz in your logs:

Sep 20 17:44:24 x.x.x.x %ASA-5-500003: Bad TCP hdr length (hdrlen=8, 
pktlen=78) from 213.157.218.54/0 to x.x.x.x/0, flags: INVALID, on 
interface
Sep 20 18:02:26 x.x.x.x %ASA-4-500004: Invalid transport field for 
protocol=TCP, from 95.172.154.15/0 to x.x.x.x/0
Sep 20 18:13:16 x.x.x.x %ASA-5-500003: Bad TCP hdr length (hdrlen=16, 
pktlen=78) from 95.172.154.15/0 to x.x.x.x/0, flags: FIN SYN PSH ACK URG 
, on interface

Those running bro will see the below in their weird.log:

2013-09-20T18:13:11-0600  GECmtvVYjD8 213.157.218.54   0 x.x.x.x    0   
bad_TCP_header_len  -       F bro
2013-09-20T19:07:32-0600  DlhjJ8Twqyk 213.157.218.54   0 x.x.x.x    0   
TCP_christmas   - F bro

The below updated rules should catch some of these:
alert tcp $EXTERNAL_NET 0 -> $HOME_NET 0 (msg:"SYN RST packet"; 
flow:stateless; flags:SR+; classtype:bad-unknown; sid:10000042; rev:1;)
alert tcp $EXTERNAL_NET 0 -> $HOME_NET 0 (msg:"SYN PSH packet"; 
flow:stateless; flags:SP+; classtype:bad-unknown; sid:10000043; rev:1;)
alert tcp $EXTERNAL_NET 0 -> $HOME_NET 0 (msg:"SYN FIN packet"; 
flow:stateless; flags:SF+; classtype:bad-unknown; sid:10000097; rev:1;)

Thank you,

James

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: