[Snort-sigs] Uptick in protocol stack testing scans

James Lay jlay at ...3266...
Mon Sep 23 18:22:45 EDT 2013


I've been seeing an increase in protocol stack shadiness at several 
locations starting on Friday.  These appear to trickle in throughout the 
day usually one every 10 to 20 minutes with src/dst ports of 0.  Those 
running Cisco will see this type of jazz in your logs:

Sep 20 17:44:24 x.x.x.x %ASA-5-500003: Bad TCP hdr length (hdrlen=8, 
pktlen=78) from to x.x.x.x/0, flags: INVALID, on 
Sep 20 18:02:26 x.x.x.x %ASA-4-500004: Invalid transport field for 
protocol=TCP, from to x.x.x.x/0
Sep 20 18:13:16 x.x.x.x %ASA-5-500003: Bad TCP hdr length (hdrlen=16, 
pktlen=78) from to x.x.x.x/0, flags: FIN SYN PSH ACK URG 
, on interface

Those running bro will see the below in their weird.log:

2013-09-20T18:13:11-0600  GECmtvVYjD8   0 x.x.x.x    0   
bad_TCP_header_len  -       F bro
2013-09-20T19:07:32-0600  DlhjJ8Twqyk   0 x.x.x.x    0   
TCP_christmas   - F bro

The below updated rules should catch some of these:
alert tcp $EXTERNAL_NET 0 -> $HOME_NET 0 (msg:"SYN RST packet"; 
flow:stateless; flags:SR+; classtype:bad-unknown; sid:10000042; rev:1;)
alert tcp $EXTERNAL_NET 0 -> $HOME_NET 0 (msg:"SYN PSH packet"; 
flow:stateless; flags:SP+; classtype:bad-unknown; sid:10000043; rev:1;)
alert tcp $EXTERNAL_NET 0 -> $HOME_NET 0 (msg:"SYN FIN packet"; 
flow:stateless; flags:SF+; classtype:bad-unknown; sid:10000097; rev:1;)

Thank you,


More information about the Snort-sigs mailing list