[Snort-users] strange data

Leonardo Rodrigues coelho at ...3917...
Thu Nov 1 04:58:02 EST 2001


    Hello Guys,

    I know this isnt exactly a snort related question. Altough, as I'm
sure there are a lot of persons that are involved with
network/traffic/software stuff, I think somebody can help me here ....

    I got with snort a very strange traffic flowing from one of my NT
servers apparently for a LOT of internet broadcast addresses. They are
being correctly NOT forwarded by my firewall ( linux+ipchains ). But, I
dont have any idea of WHAT can be generating this strange traffic. Its
being originated on 1029/udp port, and snort log shows:

[**] Strange Traffic [**]
11/01-10:26:39.935238 192.6.1.190:1029 -> 200.246.167.255:41508
UDP TTL:128 TOS:0x0 ID:49620 IpLen:20 DgmLen:216
Len: 196
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 4E 54 53 41 47 41 00 00 DC 01 00 00  ....NTSAGA......
70 FF 97 01 76 CB F1 77 01 00 1F 00 00 00 00 00  p...v..w........
00 9C FD 7F 00 00 00 00 A0 CC F1 77 D8 00 00 00  ...........w....
00 00 00 00 32 30 37 30 34 37 34 00 00 00 04 00  ....2070474.....
00 00 04 00 00 00 13 00 30 E6 36 3A 00 00 13 00  ........0.6:....
30 89 39 3A 0C 00 00 00 11 10 00 00              0.9:........

    NTSAGA is my NT Netbios name. Looking on ports database, I couldnt
find any entry for 1029/UDP.

    Do you have any idea of what can be generating this traffic ??

    Sincerily,
    Leonardo Rodrigues
    Persocom Network






More information about the Snort-users mailing list