RE: Strange TCP headers

From: Robert Buckley (rbuckleyat_private)
Date: Fri May 10 2002 - 09:00:32 PDT

  • Next message: pbsarnacat_private: "RE: Strange TCP headers"

    pb,
    	That is strange. Do you have some raw data to back up what pix is
    saying. If you have an old IOS running there, it could very well be pix is
    not reporting correctly. We need to verify this by looking at the actual raw
    header, and see if it has options etc. I've caught a few people on my own
    network using gnutella, which is prohibited by policy, but I've never seen
    our pix's report bad header lengths on the traffic. 
    
    -----Original Message-----
    From: pbsarnacat_private [mailto:pbsarnacat_private]
    Sent: Friday, May 10, 2002 11:40 AM
    To: incidentsat_private
    Subject: Strange TCP headers
    
    
    I just joined the list, and a quick search of the archives didn't turn this
    up, but forgive me if this has already been discussed.
    
    Starting on May 8 and continuing on through today, my firewall has been
    picking up malformed TCP packets. The PIX complains about bad header
    lengths, but the flag combinations that are showing up are extremely
    strange. The source IP addresses are varied, and the destination IPs are
    all NAT'd client workstations... not servers. The interesting thing is that
    a majority of the scans are originating from port 6346, which snort.org
    informs me is the gnutella server port. I've verified that at least two of
    the clients that these packets were directed to were running various
    file-sharing clients. Is this some sort of new scanning tool that runs over
    the Gnutella network? Anyone have any thoughts?
    
    (See attached file: 5-10-02-scans.txt)
    
    Thanks!
    Patrick Sarnacke
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri May 10 2002 - 10:10:33 PDT