Detecting bad UDP Header in packet

[BILL LARIVIERE via Snort-sigs <snort-sigs () lists snort org>]

All,
We have had some unique packets find their way to our network.  The IP header looks to be intact and was routed 
normally.  While looking at the packets in tcpdump and wireshark, an anomaly was detected.  It appears that at IP 
offset 9, the protocol is identified as UDP (offset9=0x11).  And when you look at IP offset 20 (UDP header offset 0) 
you see 0x2e.  This of course should be part of the source UDP port, not a period.  When I look at the pcap in 
Wireshark, there is not a "UDP Datagram" that starts at IP offset 20, rather "Data" starts there.  I believe this to be 
caused by an invalid port number in the "UDP Datagram" portion of the IP Header.  When I run tcpdump on the pcap file 
with ip[9]=0x11 and ip[20]=0x2e the packets in questions are identified.  My question for the group is with 
snort/suricata.
I have attempted to run snort with the snort rule alert ip ... content:"|2e|"; depth:4; offset:0.... With no success.  
My understanding of offset is it uses the payload as the reference point to start inspection.  With that in mind, the 
payload to me would be "Data" portion of the IP packet.  This offset did not fire an alert.  I have played with all 
kinds of offset and depth settings searching for the portion of the packet where the period has been used for the port. 
 To no avail.  What am I missing?

Pcap file attached with 2 packets that I am wanting to alert on.

Thanks,


Bill LaRiviere  GCIA

Attachment: ip_udp_noport.pcap
Description: ip_udp_noport.pcap

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!