[Snort-sigs] content = leech at ...548...

Matt Kettler mkettler at ...189...
Thu Apr 25 14:41:04 EDT 2002


I know that Marty.Bostick at ...495... already answered this, however all 
of these packets would seem strange to be causing an alert. What snort 
version are you using? less than 1.8.6?

Note that the IP length is 20 bytes.. that means after tcp headers (20 
bytes long), there is exactly 0 bytes for application layer data.

There's no place for there to be a "leech at ...547..." in those packets. Or 
is it a byproduct of snort stream reassembly that the data gets associated 
with the fin packet?

Heck, the first two are an fin-ack's from AOL's ad webserver to a client 
(presumably behind a Linux masquerade or some kind of PAT with such a high 
port number)

Host name: ads.web.aol.com
IP address: 205.188.165.121
Alias(es): None


At 05:02 PM 4/22/2002 -0500, Jeff Robinson wrote:
>Has anyone seen content <mailto:leech at ...547...>leech at ...547... going 
>to many different TCP ports and many different IP destinations on their 
>networks?  I find this really odd.
>
>[**] [1:0:0] <mailto:leech at ...548...>leech at ...548... [**]
>04/22-17:00:02.288768 205.188.165.121:80 -> home_net:53127
>TCP TTL:45 TOS:0x0 ID:22542 IpLen:20 DgmLen:40
>***A***F Seq: 0x6FB3E703  Ack: 0x50A721BA  Win: 0x4000  TcpLen: 20
>
>[**] [1:0:0] <mailto:leech at ...548...>leech at ...548... [**]
>04/22-17:00:02.288768 205.188.165.121:80 -> home_net:53127
>TCP TTL:45 TOS:0x0 ID:22543 IpLen:20 DgmLen:40
>***A***F Seq: 0x6FB3E703  Ack: 0x50A721BB  Win: 0x4000  TcpLen: 20
>
>[**] [1:0:0] <mailto:leech at ...548...>leech at ...548... [**]
>04/22-17:00:02.288768 217.82.180.26:37555 -> home_net:2725
>TCP TTL:114 TOS:0x0 ID:12329 IpLen:20 DgmLen:40 DF
>***A**** Seq: 0x97E8C5DA  Ack: 0xD815F2AE  Win: 0x7FFF  TcpLen: 20





More information about the Snort-sigs mailing list