Snort mailing list archives
Uptick in protocol stack testing scans
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 23 Sep 2013 16:22:45 -0600
All, I've been seeing an increase in protocol stack shadiness at several locations starting on Friday. These appear to trickle in throughout the day usually one every 10 to 20 minutes with src/dst ports of 0. Those running Cisco will see this type of jazz in your logs: Sep 20 17:44:24 x.x.x.x %ASA-5-500003: Bad TCP hdr length (hdrlen=8, pktlen=78) from 213.157.218.54/0 to x.x.x.x/0, flags: INVALID, on interface Sep 20 18:02:26 x.x.x.x %ASA-4-500004: Invalid transport field for protocol=TCP, from 95.172.154.15/0 to x.x.x.x/0 Sep 20 18:13:16 x.x.x.x %ASA-5-500003: Bad TCP hdr length (hdrlen=16, pktlen=78) from 95.172.154.15/0 to x.x.x.x/0, flags: FIN SYN PSH ACK URG , on interface Those running bro will see the below in their weird.log: 2013-09-20T18:13:11-0600 GECmtvVYjD8 213.157.218.54 0 x.x.x.x 0 bad_TCP_header_len - F bro 2013-09-20T19:07:32-0600 DlhjJ8Twqyk 213.157.218.54 0 x.x.x.x 0 TCP_christmas - F bro The below updated rules should catch some of these: alert tcp $EXTERNAL_NET 0 -> $HOME_NET 0 (msg:"SYN RST packet"; flow:stateless; flags:SR+; classtype:bad-unknown; sid:10000042; rev:1;) alert tcp $EXTERNAL_NET 0 -> $HOME_NET 0 (msg:"SYN PSH packet"; flow:stateless; flags:SP+; classtype:bad-unknown; sid:10000043; rev:1;) alert tcp $EXTERNAL_NET 0 -> $HOME_NET 0 (msg:"SYN FIN packet"; flow:stateless; flags:SF+; classtype:bad-unknown; sid:10000097; rev:1;) Thank you, James ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Uptick in protocol stack testing scans James Lay (Sep 23)