Snort mailing list archives
RE: SV: BAD TRAFFIC data in TCP SYN packet
From: "Austad, Jay" <austad () marketwatch com>
Date: Tue, 15 Jan 2002 09:38:46 -0600
Here's a description of the probe from the help provided in the configuration interface for the 3dns units: ========================================== Probe Protocol Specifies which protocol the prober uses to probe LDNS servers, and in what order the protocols are used. (The box on the right side lists the order in which the protocols are used.) Note: If you select DNS_DOT or DNS_REV, a working DNS of some sort must be running on the probed server. TCP (Transmission Control Protocol) This is the most common transport layer protocol used on Ethernet and Internet. TCP adds reliable communication, flow-control, multiplexing, and connection-oriented communication. It provides full-duplex, process-to-process connections. TCP is connection-oriented and stream-oriented, unlike UDP. DNS_DOT (DNS Dot) This protocol is specific to the 3-DNS Controller. The 3-DNS Controller sends a DNS Message to the probe target LDNS querying for "." (a dot). If the LDNS is not blocking queries from unknown addresses, it answers with a list of root name servers. The 3-DNS Controller makes these requests only to measure network latency and packet loss; it does not use the information contained in the responses. DNS_REV (Reverse IP address lookup) This protocol is specific to the 3-DNS Controller. The 3-DNS Controller sends a DNS Message to the probe target LDNS querying for a record of class IN, type PTR. Most versions of DNS answer with a record containing their fully-qualified domain name. The 3-DNS Controller makes these requests only to measure network latency and packet loss; it does not use the information contained in the responses. ========================================================== If the above methods fail, the prober will do an ICMP echo ping, or failing that, will try a UDP Traceroute. The probers can run both on 3dns units, or their BigIP units (like Cisco's Local Director). It definitely is quite noisy, however, it is configurable. You can disable any of the above behavior, and also put in a list of ips or whole networks not to probe. ---------- Jay Austad Network Security Administrator CBS Marketwatch 612.817.1271 austad () marketwatch com <mailto:austad () marketwatch com> http://cbs.marketwatch.com http://www.bigcharts.com
-----Original Message----- From: Dan Hollis [mailto:goemon () anime net] Sent: Monday, January 14, 2002 4:57 PM To: Matt Kettler Cc: Lars Jørgensen IT; 'snort-users () lists sourceforge net'; bugtraq () securityfocus com Subject: Re: SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet On Mon, 14 Jan 2002, Matt Kettler wrote:Here's a very good analysis of the 3dns traffic and thestrange packets:http://www.incidents.org/detect/3dns.php some information on the 3dns product itself is at. http://www.f5.com/f5products/3dns/index.htmlHas anyone contacted f5 to ask them why they are sending malformed packets? Not that I really expect them to give a straight answer, but it could be enlightening... -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-] _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BAD TRAFFIC data in TCP SYN packet Lars Jørgensen IT (Jan 13)
- Re: BAD TRAFFIC data in TCP SYN packet Chris Keladis (Jan 13)
- Re: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
- Re: BAD TRAFFIC data in TCP SYN packet Dewey Paciaffi (Jan 14)
- Re: BAD TRAFFIC data in TCP SYN packet Martin Roesch (Jan 14)
- Re: BAD TRAFFIC data in TCP SYN packet Laurie Zirkle (Jan 15)
- <Possible follow-ups>
- Re: BAD TRAFFIC data in TCP SYN packet Tudor Panaitescu (Jan 14)
- SV: BAD TRAFFIC data in TCP SYN packet Lars Jørgensen IT (Jan 14)
- Re: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
- Re: SV: BAD TRAFFIC data in TCP SYN packet Dan Hollis (Jan 14)
- Re: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Austad, Jay (Jan 15)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Dan Hollis (Jan 15)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 15)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Dan Hollis (Jan 15)