[Snort-users] IDS247/large-udp

Bob Van Cleef vancleef at ...211...
Mon Jul 31 13:23:38 EDT 2000


I have seen a lot of these types of packets.  At first, since the target
is our bastion host, I assumed it was false alarms on a file transfer,
music/video stream, or something simular, but looking closer at it I
wondered....

> grep IDS247 vision.conf
alert UDP $EXTERNAL any -> \ 
	$INTERNAL any (msg: "IDS247/large-udp"; dsize: >800;)

> du -s UDP:6970-2000 UDP:6972-2000
18504	UDP:6970-2000
3573	UDP:6972-2000

> grep 221:2000 UDP:6970-2000 UDP:6972-2000 | wc -l
   3951

3951 packets recorded, all from the same host, and all between
07/28-12:33:35 and 07/28-12:35:59

Bob
-- 
><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>
Bob Van Cleef, Member of Technical Staff         (408) 734-8100
MicroUnity Systems Engineering, Inc.         FAX (408) 734-8136
475 Potrero Ave., Sunnyvale, CA 94086   vancleef at ...211...

[**] IDS247/large-udp [**]
07/28-12:33:40.726468 xxx.xxx.xxx.221:2000 -> 192.86.6.23:6972
UDP TTL:56 TOS:0x0 ID:4930 
Len: 1380
80 60 33 4D 20 05 74 0D 3B 73 E9 6E 00 26 4A 0E  .`3M .t.;s.n.&J.
E4 19 B8 72 41 61 4B 43 AE B8 60 1C 33 B4 C7 2D  ...rAaKC..`.3..-
AC A5 C3 25 7A 0D 7B AB F5 E9 CD AB 0C 90 9B AC  ...%z.{.........
7D 4B A6 CD 84 A8 2C 4E C1 18 FB 7C 4D 55 0C A6  }K....,N...|MU..
F5 1A BD CF 51 22 1A A2 8D B3 98 96 4D 44 D8 27  ....Q"......MD.'
84 41 B4 D3 66 BA 21 B3 00 01 25 5C 2E 80 76 C3  .A..f.!...%\..v.
8B F7 34 C4 0B 92 DD 0F 6E 49 E6 70 E0 A6 8B 91  ..4.....nI.p....
2B 6B C3 20 C9 C1 DC 3C C6 BA C4 1E 73 F0 89 38  +k. ...<....s..8
98 6A 71 85 75 5B 96 16 9A 20 A2 E1 7A 6C 82 6B  .jq.u[... ..zl.k
E0 72 DC 81 CD AD 89 1A 79 B0 9A C2 54 49 30 E7  .r......y...TI0.
26 48 36 F0 38 36 D5 12 35 63 51 21 4C 21 16 0A  &H6.86..5cQ!L!..
86 05 73 E0 85 F1 87 77 02 24 70 DE 43 8F 23 83  ..s....w.$p.C.#.
98 53 42 F0 39 8D 1C 90 5E 82 12 00 D7 9E FC 56  .SB.9...^......V
05 57 61 D8 B8 9D B0 02 C5 25 47 F8 3C 1B 65 73  .Wa......%G.<.es
3A 4A 6C 01 C5 39 0D 0A E4 FD 38 16 C2 E0 ED 71  :Jl..9....8....q
4B 68 AE 4C B9 D0 10 D1 06 C6 F6 6A 5C 69 B1 38  Kh.L.......j\i.8
85 75 52 33 11 2A 51 B2 DA 84 51 3E AF 42 1C BC  .uR3.*Q...Q>.B..
1B C7 E7 54 80 5E B9 62 5C 02 37 39 8F 0B A0 41  ...T.^.b\.79...A
54 B8 3D A0 82 30 01 25 08 4D 0A 03 23 56 92 D8  T.=..0.%.M..#V..
B5 42 B0 47 B3 8A 3D 66 A7 D9 51 AC 56 5A 93 8D  .B.G..=f..Q.VZ..
56 37 E9 4C D7 84 76 34 A8 B4 46 5B AB 55 9A 5C  V7.L..v4..F[.U.\
66 9F 56 16 7B 4C 98 EA 37 F5 47 51 20 3A A3 B2  f.V.{L..7.GQ :..
C9 6B B4 35 AA 8D AA 22 6D B3 B3 A4 AD 0B A1 C5  .k.5..."m.......






More information about the Snort-users mailing list