Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Funky packets

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 05 Mar 2013 08:46:45 -0700
Hey All!

So...recently I got to packet capture first hand a rather extensive 2 
day (unsolicited) recon/router test.  Almost all of these packets were 
short on the TCP header:

  13 2013-03-01 18:05:33.218358000 x.x.x.x -> x.x.x.x TCP 74 0 > 0 [FIN, 
RST, ACK, URG, ECN, CWR, Reserved] Seq=1 Ack=1 Win=6667 Urg=0 Len=12
  15 2013-03-01 18:17:39.706664000 x.x.x.x -> x.x.x.x TCP 74 0 > 0 [FIN, 
SYN, PSH, ECN, CWR, NS, Reserved] Seq=3323674723 Win=6667[Malformed 
Packet]
  16 2013-03-01 18:20:15.162110000 x.x.x.x -> x.x.x.x TCP 74 0 > 0 [SYN, 
CWR, NS, Reserved] Seq=0 Win=6667, bogus TCP header length (12, must be 
at least 20)
  25 2013-03-01 19:49:34.199237000 x.x.x.x -> x.x.x.x TCP 74 0 > 0 [SYN, 
RST, ECN, NS, Reserved] Seq=0 Win=6667, bogus TCP header length (12, 
must be at least 20)
  26 2013-03-01 19:49:34.199244000 x.x.x.x -> x.x.x.x TCP 74 0 > 0 [SYN, 
RST, ECN, NS, Reserved] Seq=0 Win=6667, bogus TCP header length (12, 
must be at least 20)
  65 2013-03-02 00:00:15.431041000 x.x.x.x -> x.x.x.x TCP 74 0 > 0 [FIN, 
SYN, URG, ECN, Reserved] Seq=0 Win=5000, bogus TCP header length (8, 
must be at least 20)
  66 2013-03-02 00:00:15.431092000 x.x.x.x -> x.x.x.x TCP 74 0 > 0 [FIN, 
SYN, URG, ECN, Reserved] Seq=0 Win=5000, bogus TCP header length (8, 
must be at least 20)


these are just a few of the many I saw.  I've created the below (SYN + 
RST packets are my favorite) to see at least some of this:

alert tcp $EXTERNAL_NET 0 -> $HOME_NET 0 (msg:"SYN with RST packet"; 
flags:S,R; classtype:bad-unknown; sid:10000042; rev:1;)


Interestingly, of the 24 packets that have SYN and RST, this rule only 
fires on 3.  Both frag3 and stream5 have detect_anomalies set.  Anyone 
else have any funky packet rules they'd like to share?  Thanks!

James

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: