Re: Incident Identification

[Phil Wood <cpw () lanl gov>]

Is W.X.Y.Z a bonified Domain Name Server?  If so, it could just
be some broken client software attempting to connect
to the server.  You might want to see if a 3 way handshake happened
and real request was sent and honored.

Otherwise, it probably is a probe.  As it stands there is not enough
information to zero in on just what it is all about.

On Sun, Dec 23, 2001 at 09:34:38PM -0500, Frank Reid wrote:
> I'm seeing a pattern of these alerts against a few hosts (destination port
> tcp 53) and, it appears, a payload of nulls.  Does anyone know whether these
> occur benignly or whether they're associated with some probe.  Is it
> possible they're trying to co-opt DNS services to tunnel through a stateful
> inspection firewall?  Thanks!
>
> Frank
>
> BAD TRAFFIC data in TCP SYN packet
> IPv4: A.B.C.D-> W.X.Y.Z
>       hlen=5 TOS=0 dlen=64 ID=13603 flags=0 offset=0 TTL=244 chksum=18433
> TCP:  port=2402 -> dport: 53  flags=******S* seq=2027431866
>       ack=0 off=5 res=0 win=2048 urp=0 chksum=46093
> Payload:  length = 24
>
> 000 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
> 010 : 00 00 00 00 00 00 00 00                           ........
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users