Re: Very Strange Attack

["Fulton L. Preston Jr." <fulton () PRESTONS ORG>]

Ok, replying to my own message here.

To reduce the "false positives" here I inserted a rule into my snort
conf file:

alert tcp $EXTERNAL_NET 18245 -> $HOME_NET 21536 (msg: "Nortel CVX
Router Malformed Packet - Possible portscan, check web logs to
verify.";)

That way when I receive the standard snort email (custom script) about
portscans, it is followed in the next line by the above message.  Not a
fix, but sort of helps in sorting out those darn false alerts caused by
these Nortel boxes.

I suppose there is another way to completly turn off the alert in Snort
portscan pre-processor but I decided to leave it on just in case, I like
to run in paranoid mode :)

Regards,
Fulton Preston


-----Original Message-----
From: Fulton L. Preston Jr. 
Sent: Wednesday, February 07, 2001 9:20 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Very Strange Attack


This activity has been traced to a Nortel CVX device that is malforming
standard HTTP requests to a web server.  If you check your web server
log files you will see that at the exact same time of the "scan" a legit
request comes in to the web server.  Packet captures of the traffic on
21536 shows that they too are get requests but the Nortel seems to send
it to the wrong port.

This issue was discussed in this very list last month.

http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Fm
id%3D156038%26start%3D2001-01-12%26list%3D75%26fromthread%3D0%26threads%
3D0%26end%3D2001-01-18%26

I too was concerned when I first saw these packets.  Each time a user
from splitrock.com access my web pages, boom, there are the packets.
Funny thing though, right on Nortels website is a testimony about how
they helped SplitRock manage their networks by installing, you guessed
it, Nortel CVX's.

Regard,
Fulton Preston

-----Original Message-----
From: Mendoza, Luis [mailto:luis.mendoza () ATTLA COM]
Sent: Wednesday, February 07, 2001 10:23 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Very Strange Attack
Importance: High


Hi everybody,

I had received this traffic from Internet, in all cases the destinations
port are not well-known but are the same (TCP:21536) and the source port
idem (TCP:18245)

Is this traffic associated to some kind of attack or anything else?

Thanks

Luis Mendoza

Feb  3 15:11:58 66.50.24.49:18245 -> a.b.c.44:21536 VECNA *******U
Feb  3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
RESERVEDBITS
Feb  3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 VECNA 2****P*U
RESERVEDBITS
Feb  3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 XMAS 2**F*P*U
RESERVEDBITS
Feb  3 15:12:05 66.50.24.49:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU
RESERVEDBITS

Feb  3 18:44:15 63.91.226.239:18245 -> a.b.c.44:21536 VECNA *******U
Feb  3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
RESERVEDBITS
Feb  3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 VECNA 2****P*U
RESERVEDBITS
Feb  3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 XMAS 2**F*P*U
RESERVEDBITS
Feb  3 18:44:22 63.91.226.239:18245 -> a.b.c.44:21536 INVALIDACK
2***R*AU
RESERVEDBITS
Feb  3 18:44:26 63.91.226.239:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
RESERVEDBITS

Feb  3 21:37:07 63.91.227.90:18245 -> a.b.c.44:21536 VECNA *******U
Feb  3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
RESERVEDBITS
Feb  3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 VECNA 2****P*U
RESERVEDBITS
Feb  3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 XMAS 2**F*P*U
RESERVEDBITS
Feb  3 21:37:14 63.91.227.90:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU
RESERVEDBITS
Feb  3 21:37:18 63.91.227.90:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
RESERVEDBITS

Feb  4 22:06:13 66.50.25.19:18245 -> a.b.c.44:21536 VECNA *******U
Feb  4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
RESERVEDBITS
Feb  4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 VECNA 2****P*U
RESERVEDBITS
Feb  4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 XMAS 2**F*P*U
RESERVEDBITS