On Fri, 22 Mar 2002 10:29:56 PST, seren geti <serengetiat_private> said: > snort[1955]: [1:1321:4] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {MERIT-INP} 7.0.1.0 -> 14.0.2.13 > > I'll attach the packet that was captured. > > Because it froze the ServerIron and Snort is running off of a mirrored port, I only got the first packet. I'm not sure if there were more or not. I didn't find any evidence of this packet on other devices. > > I have many questions: What is the MERIT-INP protocol used for? All I've been able to find is that it's number 32. > > How would one of these get into my network, or what creates these? My first guess would be a broken/jabbering transciever or other error. Also, look at the possibility that you missed start of a header, so the fields are all offset by a bit (this will require some hand-decoding of packets). Look for something that's a valid IP header either forward or back of where it's "supposed" to be. Another possibility is a string of datagrams with undetected collisions. Look to see if all those segments that start off with 08 00 30 30... FF FF FF make sense as broadcat packets - 48 bits of the offendign station's MAC, followd by 48 bits of MAC broadcast... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 13:00:58 PST