Snort mailing list archives
Fw: UDP 1434
From: "jai" <jai.s () net4india net>
Date: Sat, 25 Jan 2003 21:49:59 +0530
Hi,
Internet traffic of INDIA's and ASIA's network has been effected
badly.....its amazing....seriously microsoft sucks.. but its fun !! :-)
Well i found something new in this ... i think this worm spoofs IP address
according ....below is the tcpdump output ..out which the host is
....169.254.198.47. sending repeated packets to different
network...but...169.254.198.47..is not our
network....after matching th MAC address > ..it was orginating ...from our
IP i.e 202.71.129.197..
tcpdump output :
20:56:28.016820 0:2:b3:2f:a4:95 1:0:5e:2d:b2:12 ip 418:
169.254.198.47.4041>
224.173.178.1
8.ms-sql-m: udp 376 [ttl 1]
4500 0194 8e94 0000 0111 26d7 a9fe c62f
e0ad b212 0fc9 059a 0180 2294 0401 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101
20:56:28.016820 0:2:b3:2f:a4:95 1:0:5e:58:ed:71 ip 418:
169.254.198.47.4041>
reserved-mult icast-range-NOT-delegated.example.com.ms-sql-m: udp 376 [ttl
1]
4500 0194 8e95 0000 0111 e5cb a9fe c62f
e658 ed71 0fc9 059a 0180 e189 0401 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
Router the MAC address ..
Internet 202.71.129.197 157 0002.b32f.a495 ARPAFastEthernet6/0
I am running snort ...but it didn't detect....
Rgds
Jai
http://forums.military.com/1/OpenTopic?a=tpc&s=78919038&f=409192893&m=455198
2416http://slashdot.org/articles/03/01/25/1245206.shtml?tid=109 On Sat, 2003-01-25 at 06:49, jai wrote:Hi, I am getting very high traffic on UDP 1434 .... wht might be the problem Rgds Jai----- Original Message ----- From: Paul Marcus <paulmarcus () mindspring com> To: jai <jai.s () net4india net> Cc: <Â snort-users () lists sourceforge net> Sent: Saturday, January 25, 2003 8:20 PM Subject: Re: [Snort-users] UDP 1434
http://forums.military.com/1/OpenTopic?a=tpc&s=78919038&f=409192893&m=455198
2416http://slashdot.org/articles/03/01/25/1245206.shtml?tid=109 On Sat, 2003-01-25 at 06:49, jai wrote:Hi, I am getting very high traffic on UDP 1434 .... wht might be the problem Rgds Jai
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UDP 1434 jai (Jan 25)
- Re: UDP 1434 -=Quequero=- (Jan 25)
- Message not available
- Re: UDP 1434 jai (Jan 25)
- Re: UDP 1434 - worm spoofing or not? Glenn Forbes Fleming Larratt (Jan 25)
- Re: UDP 1434 - worm spoofing or not? Gianluca Marcari (Jan 25)
- Re: UDP 1434 - worm spoofing or not? kris carlier (Jan 27)
- Re: UDP 1434 jai (Jan 25)
- <Possible follow-ups>
- RE: UDP 1434 Steven Rudolph (Jan 25)
- Fw: UDP 1434 jai (Jan 25)
- RE: UDP 1434 Counselman, Chris Contractor/Sverdrup (Jan 27)