-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have been seeing these port 0 packets since we installed snort-2.0.0. At first we thought we had been missing something but further investigation revealed that snort was not reading the packets correctly. Toby - -----Original Message----- From: Dave Paris [mailto:dparisat_private] Sent: Thursday, July 24, 2003 4:05 PM To: Russell Fulton Cc: Stuart; incidentsat_private Subject: Re: Port 0 packets Our IDS spotted another TCP port 0 packet at 19:59pm UTC today (Thursday). Headers follow: [**] (snort_decoder): T/TCP Detected [**] 07/24-19:59:51.308749 216.136.173.246:0 -> xxx.xxx.xxx.xxx:0 TCP TTL:55 TOS:0x0 ID:41202 IpLen:20 DgmLen:68 DF ******S* Seq: 0x73C13DA0 Ack: 0x0 Win: 0xFFFF TcpLen: 48 TCP Options (9) => MSS: 1460 NOP WS: 1 NOP NOP TS: 15026415 0 TCP Options => NOP NOP CCNEW: 248555 Kind Regards, - -dsp On Wednesday, Jul 23, 2003, at 16:38 US/Eastern, Russell Fulton wrote: > On Wed, 2003-07-23 at 12:28, Stuart wrote: >> Hi, >> >> After currently reviewing firewall logs from ISA server I have >> come across a period of where the box was hit with an aprox. >> average of 3 - 4 >> packets per 5 minute period for 8 hours. > > Over the last few day sort has been complaining about packets on > TCP 0 to an address in our network. I finally got to investigate it > > yesterday. > > The packets were coming from two IP addresses in China and were tcp > with > RST+ACK flags set. I then used our argus <www.qosient.com> logs to > examine all the traffic between the addresses. It turned out that > that there was a flood of incoming packets with random source and > destination > ports. So snort was triggering on a tiny proportion of the total > packets. > > I concluded that this was fallout from a DOS attack on the two > Chinese machines in which our address had been spoofed. > > Give the frequency of your packets and the likelihood that you > would have noticed if there was other traffic from the source this > probably is > not the same scenario. One thing that would help us work out > possible causes is some more details about the packets -- TCP or > UDP, flags etc. > > -- > Russell Fulton, Network Security Officer, The University of > Auckland, New Zealand. > > > -------------------------------------------------------------------- > --- ---- > -------------------------------------------------------------------- > --- ----- > > > - ---------------------------------------------------------------------- - ----- - ---------------------------------------------------------------------- - ------ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPyHWqlLhpjRJgUE5EQJl2gCeMzDWRpvuOB7k1855faVlicb6ANsAoJqd sO7AIH2qCN6SN7RN/+lbvXwz =7MW9 -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Jul 27 2003 - 11:22:58 PDT