[Snort-users] tcp/510 probe

jess at ...521... jess at ...521...
Tue Nov 28 15:33:23 EST 2000


	Hi!

	In my case, here is the ethereal dump of the offending packet. It
would be very interesting to know if the packet's characteristics match
for the different attacks other people have suffered. We could discover if
the different attackers are using the same tool.

	I don't know if it's some kind of problem with my  capture file,
but look at the 6 final bytes. Those six 0's should not exist as the
IP lenght is set to 40 bytes.

								JESS
--- --- ---
Internet Protocol
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Currently Unused: 0
    Total Length: 40
    Identification: 0xf0aa
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 235
    Protocol: TCP (0x06)
    Header checksum: 0xce01 (correct)
    Source: 204.182.234.16 (204.182.234.16)
    Destination: xxx.xxx.xxx.xxx
Transmission Control Protocol, Src Port: 510 (510), Dst Port: 510 (510),
Seq: 50331648, Ack: 0
    Source port: 510 (510)
    Destination port: 510 (510)
    Sequence number: 50331648
    Header length: 20 bytes
    Flags: 0x0002 (SYN)
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 16383

   0  xxxx xxxx xxxx xxx  xxxx xxxx xxxx 4500   ........ {?...E. 
  10  0028 c2df 4000 eb06 bbcc xxxx xxxx ccb6   .(.. at ...868... 
  20  ea10 01fe 01fe 0000 0000 0300 0001 5014   ..............P. 
  30  0000 97b0 0000 0000 0000 0000             ............
                     ^^^^ ^^^^ ^^^^ 









More information about the Snort-users mailing list