On Fri, 10 May 2002, Robert Buckley wrote:
> pb,
> < It's not like there's
> a standard signature... ACK FIN URG set or something. Some have two flags,
> some have three, some have all six, some have none. It really seems like
> someone is manipulating these packets. >
>
> It sure does seem that way, in fact I noticed in some of your output that
> the header size was 0.
> Now we all know thats a sure impossibility. Pix wont pass anything from a
> high -> low interface
> without a bare SYN on it 1st anyways, so we can bet its not going to get
> anywhere.
> Mirror a port and throw a sniffer there and monitor the port in question. If
> you find
> the garbage is truly garbage, and pix is reporting correctly, trace it back
> to the user.
Hmm on this note I'll throw in a few packets that I picked up in April,
figured it was coruption in the packet myself since the packets in
question have no reason to be on the network.
07:04:52.780367 198.7.0.16 > 88.0.156.254: (frag
224:4294967274@38296) [tos 0x4]
0604 0002 00e0 52b3 6a00 d1ca c607 0010
5800 9cfe d1ca c604 0000 0000 0000 0000
0000 0000 0000 0000 0000 d1ca 0100
07:05:12.209263 198.6.0.80 > 139.176.28.26: (frag
224:4294967274@38464) [tos 0x4]
0604 0002 00e0 52c8 a600 d1ca c606 0050
8bb0 1c1a d1ca c6df 0000 0000 0000 0000
0000 0000 0000 0000 0000 d1ca 0100
Haven't seen any for over a week, but someone might be able to use the
information, started around 4/17 until 4/29. I have tcpdumps of the
questionable packets.
--Dano
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat May 11 2002 - 09:56:16 PDT