[Snort-sigs] Uptick in protocol stack testing scans

James Lay jlay at ...3266...
Mon Sep 23 18:22:45 EDT 2013


All,

I've been seeing an increase in protocol stack shadiness at several 
locations starting on Friday.  These appear to trickle in throughout the 
day usually one every 10 to 20 minutes with src/dst ports of 0.  Those 
running Cisco will see this type of jazz in your logs:

Sep 20 17:44:24 x.x.x.x %ASA-5-500003: Bad TCP hdr length (hdrlen=8, 
pktlen=78) from 213.157.218.54/0 to x.x.x.x/0, flags: INVALID, on 
interface
Sep 20 18:02:26 x.x.x.x %ASA-4-500004: Invalid transport field for 
protocol=TCP, from 95.172.154.15/0 to x.x.x.x/0
Sep 20 18:13:16 x.x.x.x %ASA-5-500003: Bad TCP hdr length (hdrlen=16, 
pktlen=78) from 95.172.154.15/0 to x.x.x.x/0, flags: FIN SYN PSH ACK URG 
, on interface

Those running bro will see the below in their weird.log:

2013-09-20T18:13:11-0600  GECmtvVYjD8 213.157.218.54   0 x.x.x.x    0   
bad_TCP_header_len  -       F bro
2013-09-20T19:07:32-0600  DlhjJ8Twqyk 213.157.218.54   0 x.x.x.x    0   
TCP_christmas   - F bro

The below updated rules should catch some of these:
alert tcp $EXTERNAL_NET 0 -> $HOME_NET 0 (msg:"SYN RST packet"; 
flow:stateless; flags:SR+; classtype:bad-unknown; sid:10000042; rev:1;)
alert tcp $EXTERNAL_NET 0 -> $HOME_NET 0 (msg:"SYN PSH packet"; 
flow:stateless; flags:SP+; classtype:bad-unknown; sid:10000043; rev:1;)
alert tcp $EXTERNAL_NET 0 -> $HOME_NET 0 (msg:"SYN FIN packet"; 
flow:stateless; flags:SF+; classtype:bad-unknown; sid:10000097; rev:1;)

Thank you,

James




More information about the Snort-sigs mailing list