[Snort-users] Possible network mapping?

shawn . moyer shawn at ...1184...
Thu Mar 1 15:43:55 EST 2001


OT anecdote: LocalDirectors bite. A buddy of mine with IBM Global has
pictures of the server racks from the Victoria's Secret SuperBowl
webcast where the LocalDirector actually CAUGHT ON FIRE b/c of the load.
Nice work. :)




--shawn



Bill Marquette wrote:
> 
> Might be a device behind a Cisco Local Director...we've seen FIN/ACKs from
> numerous sites (aol.com for example) where we'll block the packet from what
> appears to be a valid web server...after contacting admins we've always found
> that these servers were behind a Cisco LD.  I suspect the state table in the NAT
> on the Cisco device is too small and the second it FINs it drops the connection
> and the web servers FIN comes a hair too late and doesn't get NATd, just gets
> passed straight out.
> 
> --Bill
> 
> From: Dr SuSE <drsuse at ...748...> on 03/01/2001 10:02 AM
> 
> To:   Snort Users <snort-users at lists.sourceforge.net>
> cc:
> Client:
> Subject:  [Snort-users] Possible network mapping?
> 
> Has anyone seen this type of traffic before?  There never was a three way
> handshake between my machine at 192.0.0.11 and 209.67.42.78 which resolves to
> orb-cache2.starmedia.com
> I'm assuming it might be a forged packet sent to solicit a response ie the tcp
> reset reply from my machine.
> 
> 03/01-02:04:00.491740 209.67.42.78:80 -> 192.0.0.11:1188
> TCP TTL:49 TOS:0x0 ID:14034 IpLen:20 DgmLen:40 DF
> ***A***F Seq: 0xB0B32B46  Ack: 0x97F4B645  Win: 0x4350  TcpLen: 20
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 03/01-02:04:00.491891 192.0.0.11:1188 -> 209.67.42.78:80
> TCP TTL:128 TOS:0x0 ID:23342 IpLen:20 DgmLen:40
> *****R** Seq: 0x97F4B645  Ack: 0x97F4B645  Win: 0x0  TcpLen: 20
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> ---------------------------------------------
> Microsoft ist nicht installiert.
> http://www.drsuse.org/
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users




More information about the Snort-users mailing list