{MERIT-INP} 7.0.1.0 -> 14.0.2.13

From: seren geti (serengetiat_private)
Date: Fri Mar 22 2002 - 10:29:56 PST

Next message: Valdis.Kletnieksat_private: "Re: {MERIT-INP} 7.0.1.0 -> 14.0.2.13"

Previous message: Russell Fulton: "different, nimda like, probes"
Next in thread: Valdis.Kletnieksat_private: "Re: {MERIT-INP} 7.0.1.0 -> 14.0.2.13"
Reply: Valdis.Kletnieksat_private: "Re: {MERIT-INP} 7.0.1.0 -> 14.0.2.13"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Last night my Internal ServerIron went nuts when it received a bad packet. Here's what Snort reported: snort[1955]: [1:1321:4] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {MERIT-INP} 7.0.1.0 -> 14.0.2.13 I'll attach the packet that was captured. Because it froze the ServerIron and Snort is running off of a mirrored port, I only got the first packet. I'm not sure if there were more or not. I didn't find any evidence of this packet on other devices. I have many questions: What is the MERIT-INP protocol used for? All I've been able to find is that it's number 32. How would one of these get into my network, or what creates these? Has anyone seen this before? Thanks for any pointers. _____________________________________________________________ Want a new web-based email account ? ---> http://www.firstlinux.net _____________________________________________________________ Run a small business? Then you need professional email like youat_private from Everyone.net http://www.everyone.net?tag [**] BAD TRAFFIC 0 ttl [**] 03/21-19:32:44.097360 7.0.1.0 -> 14.0.2.13 MERIT-INP TTL:0 TOS:0x0 ID:52435 IpLen:20 DgmLen:1500 Frag Offset: 0x142 Frag Size: 0x5C8 09 31 00 8B C8 C5 79 42 01 7E F8 62 50 10 1F 08 .1....yB.~.bP... 86 B2 00 00 00 00 10 3F FF 53 4D 42 2F 00 00 00 .......?.SMB/... 00 18 03 80 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 10 FE CA 03 08 80 97 0E FF 00 00 00 1A B8 00 ................ 20 BE 4C FF FF FF FF 00 00 00 10 00 00 00 10 3F .L............? 00 00 00 00 00 00 10 30 30 30 30 30 08 00 32 30 .......00000..20 30 30 31 30 31 36 08 00 32 30 30 30 31 30 31 36 001016..20001016 FE FF FE FF 03 00 55 4C 4C 08 00 30 30 30 30 30 ......ULL..00000 30 30 30 08 00 30 30 30 30 30 30 30 30 FE FF FE 000..00000000... FF 01 00 80 FE FF FE FF FE FF FE FF FE FF 08 00 ................ 30 30 30 30 30 30 30 30 FE FF FE FF FE FF FE FF 00000000........ FE FF FE FF FE FF FE FF FE FF FE FF 00 00 08 00 ................ 30 30 39 30 30 35 33 39 FE FF FE FF FE FF FE FF 00900539........ FE FF 07 00 39 35 30 30 30 30 30 FE FF FE FF FE ....9500000..... FF 01 00 80 01 00 80 07 00 39 35 30 30 30 30 30 .........9500000 01 00 80 FE FF FE FF FE FF FE FF FE FF FE FF FE ................ FF FE FF 01 00 80 FE FF FE FF 03 00 43 50 49 04 ............CPI. 00 44 53 2D 30 FE FF FE FF FE FF 01 00 4E FE FF .DS-0........N.. FE FF 01 00 59 FE FF FE FF 08 00 30 30 30 30 30 ....Y......00000 30 30 30 08 00 30 30 30 30 30 30 30 30 08 00 32 000..00000000..2 30 30 30 31 30 31 36 08 00 32 30 30 30 31 30 31 0001016..2000101 36 FE FF FE FF 03 00 55 4C 4C 08 00 30 30 30 30 6......ULL..0000 30 30 30 30 08 00 30 30 30 30 30 30 30 30 FE FF 0000..00000000.. FE FF 01 00 80 FE FF FE FF FE FF FE FF FE FF 08 ................ 00 30 30 30 30 30 30 30 30 FE FF FE FF FE FF FE .00000000....... FF FE FF FE FF FE FF FE FF FE FF FE FF 00 00 08 ................ 00 30 30 39 30 30 35 34 30 FE FF FE FF FE FF FE .00900540....... FF FE FF 07 00 39 35 30 30 30 30 30 FE FF FE FF .....9500000.... FE FF 01 00 80 01 00 80 07 00 39 35 30 30 30 30 ..........950000 30 01 00 80 FE FF FE FF FE FF FE FF FE FF FE FF 0............... FE FF FE FF 01 00 80 FE FF FE FF 03 00 43 50 49 .............CPI 04 00 44 53 2D 30 FE FF FE FF FE FF 01 00 4E FE ..DS-0........N. FF FE FF 01 00 59 FE FF FE FF 08 00 30 30 30 30 .....Y......0000 30 30 30 30 08 00 30 30 30 30 30 30 30 30 08 00 0000..00000000.. 32 30 30 30 31 30 31 36 08 00 32 30 30 30 31 30 20001016..200010 31 36 FE FF FE FF 03 00 55 4C 4C 08 00 30 30 30 16......ULL..000 30 30 30 30 30 08 00 30 30 30 30 30 30 30 30 FE 00000..00000000. FF FE FF 01 00 80 FE FF FE FF FE FF FE FF FE FF ................ 08 00 30 30 30 30 30 30 30 30 FE FF FE FF FE FF ..00000000...... FE FF FE FF FE FF FE FF FE FF FE FF FE FF 00 00 ................ 08 00 30 30 39 30 30 35 34 31 FE FF FE FF FE FF ..00900541...... FE FF FE FF 07 00 39 35 30 30 30 30 30 FE FF FE ......9500000... FF FE FF 01 00 80 01 00 80 07 00 39 35 30 30 30 ...........95000 30 30 01 00 80 FE FF FE FF FE FF FE FF FE FF FE 00.............. FF FE FF FE FF 01 00 80 FE FF FE FF 03 00 43 50 ..............CP 49 04 00 44 53 2D 30 FE FF FE FF FE FF 01 00 4E I..DS-0........N FE FF FE FF 01 00 59 FE FF FE FF 08 00 30 30 30 ......Y......000 30 30 30 30 30 08 00 30 30 30 30 30 30 30 30 08 00000..00000000. 00 32 30 30 30 31 30 31 36 08 00 32 30 30 30 31 .20001016..20001 30 31 36 FE FF FE FF 03 00 55 4C 4C 08 00 30 30 016......ULL..00 30 30 30 30 30 30 08 00 30 30 30 30 30 30 30 30 000000..00000000 FE FF FE FF 01 00 80 FE FF FE FF FE FF FE FF FE ................ FF 08 00 30 30 30 30 30 30 30 30 FE FF FE FF FE ...00000000..... FF FE FF FE FF FE FF FE FF FE FF FE FF FE FF 00 ................ 00 08 00 30 30 39 30 30 35 34 32 FE FF FE FF FE ...00900542..... FF FE FF FE FF 07 00 39 35 30 30 30 30 30 FE FF .......9500000.. FE FF FE FF 01 00 80 01 00 80 07 00 39 35 30 30 ............9500 30 30 30 01 00 80 FE FF FE FF FE FF FE FF FE FF 000............. FE FF FE FF FE FF 01 00 80 FE FF FE FF 03 00 43 ...............C 50 49 04 00 44 53 2D 30 FE FF FE FF FE FF 01 00 PI..DS-0........ 4E FE FF FE FF 01 00 59 FE FF FE FF 08 00 30 30 N......Y......00 30 30 30 30 30 30 08 00 30 30 30 30 30 30 30 30 000000..00000000 08 00 32 30 30 30 31 30 31 36 08 00 32 30 30 30 ..20001016..2000 31 30 31 36 FE FF FE FF 03 00 55 4C 4C 08 00 30 1016......ULL..0 30 30 30 30 30 30 30 08 00 30 30 30 30 30 30 30 0000000..0000000 30 FE FF FE FF 01 00 80 FE FF FE FF FE FF FE FF 0............... FE FF 08 00 30 30 30 30 30 30 30 30 FE FF FE FF ....00000000.... FE FF FE FF FE FF FE FF FE FF FE FF FE FF FE FF ................ 00 00 08 00 30 30 39 30 30 35 34 33 FE FF FE FF ....00900543.... FE FF FE FF FE FF 07 00 39 35 30 30 30 30 30 FE ........9500000. FF FE FF FE FF 01 00 80 01 00 80 07 00 39 35 30 .............950 30 30 30 30 01 00 80 FE FF FE FF FE FF FE FF FE 0000............ FF FE FF FE FF FE FF 01 00 80 FE FF FE FF 03 00 ................ 43 50 49 04 00 44 53 2D 30 FE FF FE FF FE FF 01 CPI..DS-0....... 00 4E FE FF FE FF 01 00 59 FE FF FE FF 08 00 30 .N......Y......0 30 30 30 30 30 30 30 08 00 30 30 30 30 30 30 30 0000000..0000000 30 08 00 32 30 30 30 31 30 31 36 08 00 32 30 30 0..20001016..200 30 31 30 31 36 FE FF FE FF 03 00 55 4C 4C 08 00 01016......ULL.. 30 30 30 30 30 30 30 30 08 00 30 30 30 30 30 30 00000000..000000 30 30 FE FF FE FF 01 00 80 FE FF FE FF FE FF FE 00.............. FF FE FF 08 00 30 30 30 30 30 30 30 30 FE FF FE .....00000000... FF FE FF FE FF FE FF FE FF FE FF FE FF FE FF FE ................ FF 00 00 08 00 30 30 39 30 30 35 34 34 FE FF FE .....00900544... FF FE FF FE FF FE FF 07 00 39 35 30 30 30 30 30 .........9500000 FE FF FE FF FE FF 01 00 80 01 00 80 07 00 39 35 ..............95 30 30 30 30 30 01 00 80 FE FF FE FF FE FF FE FF 00000........... FE FF FE FF FE FF FE FF 01 00 80 FE FF FE FF 03 ................ 00 43 50 49 04 00 44 53 2D 30 FE FF FE FF FE FF .CPI..DS-0...... 01 00 4E FE FF FE FF 01 00 59 FE FF FE FF 08 00 ..N......Y...... 30 30 30 30 30 30 30 30 08 00 30 30 30 30 30 30 00000000..000000 30 30 08 00 32 30 30 30 31 30 31 36 08 00 32 30 00..20001016..20 30 30 31 30 31 36 FE FF FE FF 03 00 55 4C 4C 08 001016......ULL. 00 30 30 30 30 30 30 30 .0000000 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: Valdis.Kletnieksat_private: "Re: {MERIT-INP} 7.0.1.0 -> 14.0.2.13"
Previous message: Russell Fulton: "different, nimda like, probes"
Next in thread: Valdis.Kletnieksat_private: "Re: {MERIT-INP} 7.0.1.0 -> 14.0.2.13"
Reply: Valdis.Kletnieksat_private: "Re: {MERIT-INP} 7.0.1.0 -> 14.0.2.13"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 11:27:28 PST