[Snort-sigs] Help with TCP
WirthJe at ...511...
Thu Aug 29 08:43:05 EDT 2002
From: Brett.Gillett at ...772... [mailto:Brett.Gillett at ...772...]
> Hey everyone,
> Just wondering if anyone could shed some light on this packet
> we captured
> using Snort. We captured it using a custom signature,
> [**] [1:0:0] XXXXXXXXXXXXXXXXXXXXX [**]
> 08/29-10:12:15.108174 SSS.SSS.SSS.80:18245 -> DDD.DDD.DDD.1:21536
> TCP TTL:119 TOS:0x0 ID:30214 IpLen:20 DgmLen:269 DF
> *2UA*R** Seq: 0x2F656E2F Ack: 0x73637269 Win: 0x732F
> TcpLen: 28 UrgPtr:
> TCP Options (1) => Opt 112 (40): 732E 6A73 2048 5454 502F
> 312E 310D 0A41
> 6363 6570 743A 202A 2F2A 0D0A 5265 6665 7265 723A 2068 7474
> I am interested in understanding the TCP options section and
> the TCP flags
> that have been set. Also, has anyone else seen anything
> destined to port
> 21536, I
> can't seem to find out what this port is.
> Lastly, even if anyone has a link to a good resource to explain this I
> would appreciate it.
Looks like a know issue with Nortel CVX routers corrupting traffic. I've
been seeing the same type traffic for sometime now. The following post on
incidents.org may shed some light....
More information about the Snort-sigs