[Snort-users] Anyone Else seen this weird traffic from aol?

Thayne thayne_a at ...125...
Fri Aug 11 17:24:15 EDT 2000


Hi,

Thanks for your reply.  The IPs on our side are all clients.  The source
port is always 80, and the destination ports vary.  I wrote a snort rule to
pick up the offending packets, and found that they actually have no payload.
Here is the dump from the previous alerts:

[**] AOL Mangled Packets [**]
08/09-10:10:18.368112 205.188.160.121:80 -> our.net.work.xx:1321
TCP TTL:54 TOS:0x0 ID:36767  DF
*1**R*** Seq: 0x61DBE26A   Ack: 0x0   Win: 0x0

[**] AOL Mangled Packets [**]
08/09-10:10:18.580516 205.188.160.121:80 -> our.net.work.xx:1322
TCP TTL:54 TOS:0x0 ID:36776  DF
*1**R*** Seq: 0x325B2467   Ack: 0x0   Win: 0x0

[**] AOL Mangled Packets [**]
08/09-10:10:20.336619 205.188.160.121:80 -> our.net.work.xx:1323
TCP TTL:54 TOS:0x0 ID:36825  DF
*1**R*** Seq: 0x692A18FC   Ack: 0x0   Win: 0x0

Any ideas?

TIA
Thayne



----- Original Message -----
From: "Bill Pennington" <billp at ...60...>
To: "Thayne" <thayne_a at ...125...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Friday, August 11, 2000 5:47 PM
Subject: Re: [Snort-users] Anyone Else seen this weird traffic from aol?


> I have not noticed anything like that coming from AOL and a high
> percentage of our users come from AOL. Are the IPs on your sides clients
> or servers? It looks like web traffic since the source port is 80 but
> without a packet dump it is hard to tell.
>
> I do know AOL runs lots of weird stuff with there mega proxies and
> whatnot.
>
> Thayne wrote:
> >
> > Greetings,
> >
> > Ever since we've been running snort, we are constantly getting weird
stealth
> > packets from aol that are picked up by the spp_portscan plugin.  The
> > following is an excerpt from one instance:
> >
> > Alert log:
> > [**] spp_portscan: PORTSCAN DETECTED from 205.188.x.x (STEALTH) [**]
> > [**] spp_portscan: portscan status from 205.188.x.x: 3 connections
across 1
> > hosts: TCP(3) UDP(0) STEALTH [**]
> > [**] spp_portscan: End of portscan from 205.188.x.x: TOTAL time(2s)
hosts(1)
> > TCP(3) UDP(0) STEALTH [**]
> >
> > Portscan.log:
> > Aug  9 10:10:18 205.188.x.x:80 -> our.sub.net.xxx UNKNOWN *1**R***
> > RESERVEDBITS
> > Aug  9 10:10:18 205.188.x.x:80 -> our.sub.net.xxx UNKNOWN *1**R***
> > RESERVEDBITS
> > Aug  9 10:10:20 205.188.x.x:80 -> our.sub.net.xxx UNKNOWN *1**R***
> > RESERVEDBITS
> >
> > They come from different AOL IP's and go to many different IP's on our
net.
> > We've tried to talk to AOL about it, but they just say it's normal
traffic.
> > Yeah right.
> >
> > Wcan't seem to get the spp_portscan plugin to ignore it, as the packets
are
> > stealth.  Anyone else see this sort of traffic?  Any ideas on how to
keep it
> > from being logged?
> >
> > TIA,
> > Thayne
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
>
> --
>
>
> Bill Pennington
> Senior IT Manager
> Rocketcash
> billp at ...60...
> http://www.rocketcash.com
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
>




More information about the Snort-users mailing list