Snort mailing list archives
What's going on here? Mstream analysis...
From: JSeddon () semtech com
Date: Mon, 13 Aug 2001 16:39:55 -0700
Hi all! I was hoping this newbie-analyst-wannabe could get some assistance in figuring out what snort is telling me. I received 48 packets that alerted on snort similar to the one below. The packets all look about the same (I can forward the full dump if it helps) and all 48 arrived within about 90 seconds. I'm running Version 1.8.1-beta7 (Build 66). Here are my questions: 1. The rule is telling me that it detected traffic coming from the mstream client (a.b.c.d) to my firewall (my.firewall.ip) destined for the mstream handler. This could be heading to some client on my internal network hidden by NAT, I assume. I'm assuming that the term mstream "client" and mstream "agent" are the same (getting my mstream info from: http://www.cert.org/incident_notes/IN-2000-05.html). From what I understand about mstream, the client (agent) has handlers coded into it during compile time. When the agent starts, it trys to announce itself to all of the handlers that it was coded for. I doubt that this traffic is it, because the internal network is hidden by NAT. If the handler is on my internal network, there's no way that the agent could announce itself to the internal IP address. Also, I believe that the mstream announcement traffic comes on UDP and these are all TCP:80 packets. The other possibility is that the firewall itself is running the handler. However, my firewall is running NT and I believe the mstream client runs on *nix. So I conclude that this is not announcement traffic to a handler on my network. How am I doing so far? 2. If this not the announcement of the client to the handler, then it could be the handler echoing commands back to the handler. There was definitely data in the packets, I couldn't make anything of it, however. Most examples of mstream traffic I've seen, however, aren't using common ports. On the other hand, the dude running the handler on my internal network, may have set it to use port 80 so my firwall would forward it to him. Is there a way to make sense of the data in the packets? 3. Does anyone have any other ideas on how to figure out what's happening? Thanks! James [**] DDOS mstream client to handler [**] 08/13-08:12:47.743103 a.b.c.d:80 -> my.firewall.ip:12754 TCP TTL:61 TOS:0x0 ID:27309 IpLen:20 DgmLen:1500 DF ***AP*** Seq: 0xE37E6C1A Ack: 0x57B1F Win: 0x7D78 TcpLen: 20 48 54 54 50 2F 31 2E 30 20 32 30 30 20 4F 4B 0D HTTP/1.0 200 OK. 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 69 .Content-Type: i 6D 61 67 65 2F 67 69 66 0D 0A 43 6F 6E 74 65 6E mage/gif..Conten 74 2D 4C 65 6E 67 74 68 3A 20 35 37 34 30 0D 0A t-Length: 5740.. 4C 61 73 74 2D 4D 6F 64 69 66 69 65 64 3A 20 46 Last-Modified: F 72 69 2C 20 31 35 20 41 70 72 20 31 39 39 34 20 ri, 15 Apr 1994 30 30 3A 30 30 3A 30 30 20 47 4D 54 0D 0A 45 78 00:00:00 GMT..Ex 70 69 72 65 73 3A 20 54 68 75 2C 20 31 35 20 41 pires: Thu, 15 A 70 72 20 32 30 31 30 20 32 30 3A 30 30 3A 30 30 pr 2010 20:00:00 20 47 4D 54 0D 0A 44 61 74 65 3A 20 4D 6F 6E 2C GMT..Date: Mon, 20 31 33 20 41 75 67 20 32 30 30 31 20 31 35 3A 13 Aug 2001 15: 31 35 3A 34 38 20 47 4D 54 0D 0A 43 6F 6E 6E 65 15:48 GMT..Conne 63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 ction: keep-aliv 65 0D 0A 0D 0A 47 49 46 38 39 61 7E 02 35 00 D5 e....GIF89a~.5.. 27 00 00 00 00 00 00 FF 41 33 1C 4D 49 66 FF 00 '.......A3.MIf.. 33 99 33 66 5D 66 33 99 44 AA CC 4D 00 66 66 99 3.3f]f3.D..M.ff. 99 66 66 99 76 2A 99 66 99 66 85 CC 65 99 66 CC .ff.v*.f.f..e.f. 66 66 66 99 99 6B 99 99 99 99 66 94 99 99 D6 8E fff..k....f..... 24 99 99 99 9E 9E 9E 99 99 F3 CE 99 8D 66 CC 99 $............f.. CE 99 D2 99 CC 99 33 FF F9 CC CC CC E3 CC 94 F9 ......3......... DD 1E CC CC FF FF CC CC FF FF 00 CC FF CC CC FF ................ FF FF FF CC FF FF FF FF FF FF 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 21 F9 04 01 00 00 27 00 2C 00 00 00 00 7E ..!.....'.,....~ 02 35 00 00 06 FF C0 93 70 48 2C 1A 8F C8 A4 72 .5......pH,....r C9 6C 3A 9F D0 A8 74 4A AD 5A AF D8 AC 76 9B 25 .l:...tJ.Z...v.% 78 BD DC B0 78 4C 2E 9B CF E8 B4 7A CD 6E BB DF x...xL.....z.n.. F0 EA 77 3E 8F DB EF F8 3C B1 E4 F1 94 F8 7F 7A ..w>....<......z 82 83 84 85 86 87 49 74 8A 88 8C 8D 8E 42 7D 22 ......It.....B}" 18 93 7D 93 18 7C 8C 1D 1B 1B 7D 9B 1D 21 8D 20 ..}..|....}..!. 20 1A 20 21 17 A2 A0 7A 8A AB AC AB 8F AF 6D AD . !...z......m. 60 86 25 1D 1E 12 12 B7 B9 1E A9 87 B5 1A 15 0C `.%............. 1E 0C 15 1A 9F 8D 21 20 15 10 1E CB 15 A5 61 25 ......! ......a% 96 22 7D 7E D4 91 96 25 83 20 9C 10 DE 7D DE CC ."}~...%. ...}.. 10 1B 23 84 20 17 21 1A 17 EB A6 EB 1D EA 20 78 ..#. .!....... x B2 F3 AE B0 F6 68 F3 15 15 83 B7 7D B8 B9 FF FC .....h.....}.... 79 28 D4 81 C1 24 06 08 87 21 3C 68 8C 50 07 7D y(...$...!<h.P.} 1E C2 61 58 06 A1 42 C4 0A 1D B2 F8 C1 D0 C7 84 ..aX..B......... C7 8F 20 2B 61 C2 13 B1 62 88 0E 23 40 8E F8 B4 .. +a...b..#@... E1 5B 2F 3B ED 2E 74 00 01 D2 63 A9 73 EC EC D0 .[/;..t...c.s... DB F9 E5 9E CF FF 44 3D A7 C8 D2 B7 2F 4F 88 80 ......D=..../O.. 7F 6A 96 08 A1 2B 97 36 3C 21 10 1A 0C 11 A2 26 .j...+.6<!.....& D5 82 09 F5 94 A0 58 A1 56 4D 13 9F 28 5E AA E2 ......X.VM..(^.. 61 52 89 8F 95 2C 51 F2 F0 51 1A C7 38 9A 3C 6C aR...,Q..Q..8.<l E8 A0 72 65 CA 8F 23 38 CD BD 73 C1 03 29 90 A2 ..re..#8..s..).. 02 03 3E 79 21 0E 4F 9E FA 7E 9E 38 4C E0 0E E3 ..>y!.O..~.8L... 59 4B 86 26 BE 53 62 17 5D 8F 1D 6C 69 BE 0C D6 YK.&.Sb.]..li... 5F C6 38 21 2A 4C D2 F0 F1 A4 31 63 9C 3B 70 64 _.8!*L....1c.;pd F0 39 0E C4 0B 24 3E CE 9C CD 19 84 AD 8A 53 DC .9...$>.......S. B2 35 51 56 AD 6F 4A 1E F9 8C 75 D3 12 42 55 13 .5QV.oJ...u..BU. 2B 37 29 5F 7E D7 44 CB 0D 70 70 D2 B4 B9 AE BA +7)_~.D..pp..... F5 E9 26 A4 BB 26 8A 98 A8 F7 C9 3E 19 C3 79 BC ..&..&.....>..y. 48 89 E4 A2 70 71 ED B6 F5 EF DF 02 F5 97 3B A8 H...pq........;. 87 83 95 B4 47 0D 52 F3 23 34 86 79 3F 1C 12 CE ....G.R.#4.y?... C8 16 CE 80 DE 44 70 D9 56 B8 41 E1 C7 6E BD FD .....Dp.V.A..n.. E6 20 47 C1 F5 D1 46 44 1B 78 94 D7 72 18 2E 77 . G...FD.x..r..w 99 32 7E B4 D1 FF CE 74 D6 85 18 E2 74 E7 1C F3 .2~....t....t... C6 77 FA D0 83 22 51 44 90 57 9E 1A E2 C5 E2 62 .w..."QD.W.....b 3D 47 B4 C2 22 4C 18 48 40 D7 56 ED 19 80 8B 00 =G.."L.H@.V..... ED E1 72 56 65 12 B6 21 0D 6B F7 E9 A7 A4 54 55 ..rVe..!.k....TU 85 F6 96 91 18 40 70 81 4D 04 56 19 CE 65 17 58 .....@p.M.V..e.X F4 14 13 D2 30 F8 E0 97 10 F2 F6 64 1A 9C C4 B7 ....0......d.... 9C 03 68 A6 99 A6 3E 9B 78 C4 14 74 6B D8 B6 1B ..h...>.x..tk... 4E 22 D6 B9 CE 74 A6 C4 E3 C6 8A 15 A8 B8 62 8B N"...t........b. 33 06 E5 C4 8C 80 EE 74 63 1A 81 B2 82 84 8D E0 3......tc....... BD 21 DF 7A 41 4A B0 80 01 02 00 19 29 83 B9 B0 .!.zAJ......)... 11 15 2F 60 1D 60 90 06 F8 2D 99 9F 7D 51 69 D0 ../`.`...-..}Qi. 06 33 74 01 38 60 02 09 0C E0 EA AB AC 7A 53 41 .3t.8`.......zSA 6C A1 41 D0 84 5B 1E 61 10 D8 AE BC F6 BA AB 98 l.A..[.a........ 6A 74 30 8E 47 9B 8C 30 42 05 0E 3C 63 5B 66 CC jt0.G..0B..<c[f. 3E 94 6C 85 D9 8D B3 C6 3A D4 D9 69 ED 29 1E AD >.l.....:..i.).. 93 07 77 F3 44 96 68 63 4F 10 5A 84 77 8A A0 68 ..w.D.hcO.Z.w..h 5E B7 83 FA 89 FF 22 BA 45 30 8A 9E 1B 95 49 70 ^.....".E0....Ip 56 53 B7 18 60 C0 02 1C 61 20 C0 00 91 56 E0 11 VS..`...a ...V.. 2E AD A1 81 10 5D 05 61 00 AA A8 4B FA 6B 42 30 .....].a...K.kB0 01 9F B1 0C 4D 24 54 A4 4F 02 0B 50 F0 C1 C5 18 ....M$T.O..P.... 7F B0 80 AB 09 78 13 DB 05 09 2A D1 A5 98 20 D8 .....x....*... . 6B F2 C9 28 A7 4C D3 1F 5B 96 31 C2 B0 CE 91 33 k..(.L..[.1....3 82 01 15 C8 6C EC CD 37 67 36 80 03 D0 B6 D4 30 ....l..7g6.....0 19 D4 66 77 ED D0 34 9D 63 AA 1E 7D CA E2 6D A0 ..fw..4.c..}..m. 87 2E FD 98 11 E4 D2 61 AE 11 E4 39 BD 0A 9F EB .......a...9.... 2A DA 2E 2B 8D EE A9 23 6F EA D5 CB D1 1F 22 48 *..+...#o....."H 62 69 90 FE C6 DB 72 19 0C 77 6A B0 06 9E 22 AC bi....r..wj...". A4 BF 51 31 B0 36 19 C2 FA 1B F1 33 10 0C 60 71 ..Q1.6.....3..`q C6 80 7F B0 6F C7 10 C4 B6 CC CF 7B F8 21 A6 AE ....o......{.!.. 06 70 F4 81 07 17 43 1E 78 C6 14 18 B0 32 06 68 .p....C.x....2.h F4 91 52 B1 33 93 C3 F2 E7 9F 1B DB C1 CE D0 16 ..R.3........... 69 C6 49 45 CB E4 EB EA BE 76 F6 D2 1D 49 B7 C2 i.IE.....v...I.. 04 B7 EA 7A ...z =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What's going on here? Mstream analysis... JSeddon (Aug 13)
- Re: What's going on here? Mstream analysis... Phil Wood (Aug 13)