[Snort-sigs] Help with TCP

Wirth, Jeff WirthJe at ...511...
Thu Aug 29 08:43:05 EDT 2002


From: Brett.Gillett at ...772... [mailto:Brett.Gillett at ...772...]
> 
> Hey everyone,
> 
> Just wondering if anyone could shed some light on this packet 
> we captured
> using Snort. We captured it using a custom signature,
> 
> [**] [1:0:0] XXXXXXXXXXXXXXXXXXXXX [**]
> 08/29-10:12:15.108174 SSS.SSS.SSS.80:18245 -> DDD.DDD.DDD.1:21536
> TCP TTL:119 TOS:0x0 ID:30214 IpLen:20 DgmLen:269 DF
> *2UA*R** Seq: 0x2F656E2F  Ack: 0x73637269  Win: 0x732F  
> TcpLen: 28  UrgPtr:
> 0x7269
> TCP Options (1) => Opt 112 (40): 732E 6A73 2048 5454 502F 
> 312E 310D 0A41
> 6363 6570 743A 202A 2F2A 0D0A 5265 6665 7265 723A 2068 7474
> 
> I am interested in understanding the TCP options section and 
> the TCP flags
> that have been set.  Also,  has anyone else seen anything 
> destined to port
> 21536, I
> can't seem to find out what this port is.
> 
> Lastly, even if anyone has a link to a good resource to explain this I
> would appreciate it.
> 

Looks like a know issue with Nortel CVX routers corrupting traffic.  I've
been seeing the same type traffic for sometime now.  The following post on
incidents.org may shed some light....

http://archives.neohapsis.com/archives/incidents/2001-01/0078.html

- Jeff




More information about the Snort-sigs mailing list