[Snort-sigs] HTTP GET's in UDP 19

James Lay jlay at ...3266...
Thu Sep 19 10:58:39 EDT 2013


Topic says it..I see a fair amount of these:

(Event)
         sensor id: 0    event id: 1671  event second: 1379599387        
event microsecond: 326773
         sig id: 2403307 gen id: 1       revision: 373    
classification: 30
         priority: 2     ip source: 89.248.168.224       ip destination: 
x.x.x.x
         src port: 54243 dest port: 19   protocol: 17    impact_flag: 0  
blocked: 0

Packet
         sensor id: 0    event id: 1671  event second: 1379599387
         packet second: 1379599387       packet microsecond: 326773
         linktype: 1     packet_length: 68
[    0] 00 1F F3 8B DB 9A F8 C0 01 7A 8E 72 88 64 11 00  
.........z.r.d..
[   16] 01 F6 00 30 00 21 45 00 00 2E D4 31 00 00 F4 11  
...0.!E....1....
[   32] 33 39 59 F8 A8 E0 00 00 00 00 D3 E3 00 13 00 1A  
39Y...G'uT......
[   48] 00 00 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31  ..GET / 
HTTP/1.1
[   64] 0D 0A 0D 0A                                      ....

UDP 19 is Chargen, and SSDP is usually 1900 so...what gives here?  
Worth sigging or do we care?  Thanks all.

James




More information about the Snort-sigs mailing list