Snort mailing list archives

Previous By Date Next
Previous By Thread Next

HTTP GET's in UDP 19

From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 19 Sep 2013 08:58:39 -0600
Topic says it..I see a fair amount of these:

(Event)
         sensor id: 0    event id: 1671  event second: 1379599387        
event microsecond: 326773
         sig id: 2403307 gen id: 1       revision: 373    
classification: 30
         priority: 2     ip source: 89.248.168.224       ip destination: 
x.x.x.x
         src port: 54243 dest port: 19   protocol: 17    impact_flag: 0  
blocked: 0

Packet
         sensor id: 0    event id: 1671  event second: 1379599387
         packet second: 1379599387       packet microsecond: 326773
         linktype: 1     packet_length: 68
[    0] 00 1F F3 8B DB 9A F8 C0 01 7A 8E 72 88 64 11 00  
.........z.r.d..
[   16] 01 F6 00 30 00 21 45 00 00 2E D4 31 00 00 F4 11  
...0.!E....1....
[   32] 33 39 59 F8 A8 E0 00 00 00 00 D3 E3 00 13 00 1A  
39Y...G'uT......
[   48] 00 00 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31  ..GET / 
HTTP/1.1
[   64] 0D 0A 0D 0A                                      ....

UDP 19 is Chargen, and SSDP is usually 1900 so...what gives here?  
Worth sigging or do we care?  Thanks all.

James

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: