-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did install snort but the box has been rebuilt since, ISA is what is running on it at the moment. So if snort can have problems no doubt ISA will :) They're quiet irritating as there's nothing I can find in packet captures that's causing them to come in :S Stu - -----Original Message----- From: Toby Miller [mailto:toby_millerat_private] Sent: 26 July 2003 02:18 To: Dave Paris; Russell Fulton Cc: Stuart; incidentsat_private Subject: RE: Port 0 packets - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have been seeing these port 0 packets since we installed snort-2.0.0. At first we thought we had been missing something but further investigation revealed that snort was not reading the packets correctly. Toby - - -----Original Message----- From: Dave Paris [mailto:dparisat_private] Sent: Thursday, July 24, 2003 4:05 PM To: Russell Fulton Cc: Stuart; incidentsat_private Subject: Re: Port 0 packets Our IDS spotted another TCP port 0 packet at 19:59pm UTC today (Thursday). Headers follow: [**] (snort_decoder): T/TCP Detected [**] 07/24-19:59:51.308749 216.136.173.246:0 -> xxx.xxx.xxx.xxx:0 TCP TTL:55 TOS:0x0 ID:41202 IpLen:20 DgmLen:68 DF ******S* Seq: 0x73C13DA0 Ack: 0x0 Win: 0xFFFF TcpLen: 48 TCP Options (9) => MSS: 1460 NOP WS: 1 NOP NOP TS: 15026415 0 TCP Options => NOP NOP CCNEW: 248555 Kind Regards, - - -dsp On Wednesday, Jul 23, 2003, at 16:38 US/Eastern, Russell Fulton wrote: > On Wed, 2003-07-23 at 12:28, Stuart wrote: >> Hi, >> >> After currently reviewing firewall logs from ISA server I have >> come across a period of where the box was hit with an aprox. >> average of 3 - 4 >> packets per 5 minute period for 8 hours. > > Over the last few day sort has been complaining about packets on > TCP 0 to an address in our network. I finally got to investigate it > > yesterday. > > The packets were coming from two IP addresses in China and were tcp > with > RST+ACK flags set. I then used our argus <www.qosient.com> logs to > examine all the traffic between the addresses. It turned out that > that there was a flood of incoming packets with random source and > destination > ports. So snort was triggering on a tiny proportion of the total > packets. > > I concluded that this was fallout from a DOS attack on the two > Chinese machines in which our address had been spoofed. > > Give the frequency of your packets and the likelihood that you > would have noticed if there was other traffic from the source this > probably is > not the same scenario. One thing that would help us work out > possible causes is some more details about the packets -- TCP or > UDP, flags etc. > > -- > Russell Fulton, Network Security Officer, The University of > Auckland, New Zealand. > > > -------------------------------------------------------------------- > --- ---- > -------------------------------------------------------------------- > --- ----- > > > - - ---------------------------------------------------------------------- - - ----- - - ---------------------------------------------------------------------- - - ------ - -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPyHWqlLhpjRJgUE5EQJl2gCeMzDWRpvuOB7k1855faVlicb6ANsAoJqd sO7AIH2qCN6SN7RN/+lbvXwz =7MW9 - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQIVAwUBPyHY0pMRMj30dWmZAQJysQ//U8MjzNQcnn0xVL33ku7XmzcfUZLZ0asI rK8u9CVO0zxtOL69h3Cu+BNx/S3U+15PTcSgW4UwvY2mUrAwdr/GfnLOee5USN2p 5Zq7O4Od61P4LRnpikTtpU+RpBO97OTNqeBnf5xwJxATQZwUVxEM+9YrntN9pa1Z L8B7zus6tFyFchxU4jnMR4NJuifSsORqeRwSCmj9ppPYg6/0c28bBqtGxk1cHe/m utT0ozqi94dW1rrgXvuZX/+eGu1hfQyA/GSPgYsnSwodgvjy+9utU5X61ryg1Q5H MS0skdaw8c7xS/PvH7ggaLXgiaGcnXJzoE5+/EZmTEhIGmKZIKObGfQhyHk0U8La wjYziZ5uo0W4tRS2fiLE9LNZH4Vnq1Dowj2lea2PYSnVTAn6CHEUpGQz5CDzvwtz 7PJSXoV7EUrybGqnedtJbd5l7FzRh565OOAZr5Jg+lSmW2NzXbdgyFOXbKDeqM0R W/LR6rXga1DXuwX1KbWfSp14Xuai1rxUXRzb9RDQv/JZGy+6SQ5K60Ls/aK0aBTw T8KgdcwEd7GgGRTCXC1PBzjDV2rx1L+m4sRhZ/WjENQXX+ezdMhnm/F8NgaFXpyH W9TyFFaJDWioVMQkEN+P3ZFWYl0aoLkyg0J9UF2wY4UOvoWOzQWWOzuUEU4O54l1 16kcsq2ABU0= =jVYJ -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Jul 27 2003 - 11:25:20 PDT