Security Incidents mailing list archives
Re: Very Strange Attack
From: "Fulton L. Preston Jr." <fulton () PRESTONS ORG>
Date: Thu, 8 Feb 2001 01:42:44 -0500
Ok, replying to my own message here. To reduce the "false positives" here I inserted a rule into my snort conf file: alert tcp $EXTERNAL_NET 18245 -> $HOME_NET 21536 (msg: "Nortel CVX Router Malformed Packet - Possible portscan, check web logs to verify.";) That way when I receive the standard snort email (custom script) about portscans, it is followed in the next line by the above message. Not a fix, but sort of helps in sorting out those darn false alerts caused by these Nortel boxes. I suppose there is another way to completly turn off the alert in Snort portscan pre-processor but I decided to leave it on just in case, I like to run in paranoid mode :) Regards, Fulton Preston -----Original Message----- From: Fulton L. Preston Jr. Sent: Wednesday, February 07, 2001 9:20 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Very Strange Attack This activity has been traced to a Nortel CVX device that is malforming standard HTTP requests to a web server. If you check your web server log files you will see that at the exact same time of the "scan" a legit request comes in to the web server. Packet captures of the traffic on 21536 shows that they too are get requests but the Nortel seems to send it to the wrong port. This issue was discussed in this very list last month. http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Fm id%3D156038%26start%3D2001-01-12%26list%3D75%26fromthread%3D0%26threads% 3D0%26end%3D2001-01-18%26 I too was concerned when I first saw these packets. Each time a user from splitrock.com access my web pages, boom, there are the packets. Funny thing though, right on Nortels website is a testimony about how they helped SplitRock manage their networks by installing, you guessed it, Nortel CVX's. Regard, Fulton Preston -----Original Message----- From: Mendoza, Luis [mailto:luis.mendoza () ATTLA COM] Sent: Wednesday, February 07, 2001 10:23 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Very Strange Attack Importance: High Hi everybody, I had received this traffic from Internet, in all cases the destinations port are not well-known but are the same (TCP:21536) and the source port idem (TCP:18245) Is this traffic associated to some kind of attack or anything else? Thanks Luis Mendoza Feb 3 15:11:58 66.50.24.49:18245 -> a.b.c.44:21536 VECNA *******U Feb 3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 VECNA 2****P*U RESERVEDBITS Feb 3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 XMAS 2**F*P*U RESERVEDBITS Feb 3 15:12:05 66.50.24.49:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU RESERVEDBITS Feb 3 18:44:15 63.91.226.239:18245 -> a.b.c.44:21536 VECNA *******U Feb 3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 VECNA 2****P*U RESERVEDBITS Feb 3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 XMAS 2**F*P*U RESERVEDBITS Feb 3 18:44:22 63.91.226.239:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU RESERVEDBITS Feb 3 18:44:26 63.91.226.239:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 3 21:37:07 63.91.227.90:18245 -> a.b.c.44:21536 VECNA *******U Feb 3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 VECNA 2****P*U RESERVEDBITS Feb 3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 XMAS 2**F*P*U RESERVEDBITS Feb 3 21:37:14 63.91.227.90:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU RESERVEDBITS Feb 3 21:37:18 63.91.227.90:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 4 22:06:13 66.50.25.19:18245 -> a.b.c.44:21536 VECNA *******U Feb 4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 VECNA 2****P*U RESERVEDBITS Feb 4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 XMAS 2**F*P*U RESERVEDBITS
Current thread:
- Very Strange Attack Mendoza, Luis (Feb 07)
- Re: Very Strange Attack Osvaldo J. Filho (Feb 07)
- Re: Very Strange Attack Fernando Cardoso (Feb 07)
- Re: Very Strange Attack Osvaldo J. Filho (Feb 07)
- Re: Very Strange Attack Fernando Cardoso (Feb 07)
- <Possible follow-ups>
- Re: Very Strange Attack Benninghoff, John (Feb 07)
- Re: Very Strange Attack Fulton L. Preston Jr. (Feb 07)
- Re: Very Strange Attack Fulton L. Preston Jr. (Feb 09)
- Re: Very Strange Attack Mendoza, Luis (Feb 10)
- Re: Very Strange Attack Osvaldo J. Filho (Feb 07)