[Snort-users] curious packets with no Snort alert?

Matija Exel Matija.Exel at ...4103...
Fri Nov 16 11:06:03 EST 2001


hello,

I am receiving this week blasts of apparently spoofed packets of the type 
"TCP   1334 > 2000" and vice versa,
at about a rate of 2000/sec!
The packets are between:
pcexel.ensieg.inpg.fr      and  xyplex-ensiegd.ensieg.inpg.fr
of which the first is a PC Win98 and the second is a Xyplex9000 router (who 
uses the 2000 port for telnet).
The pcexel must be forged, as i see the packets when pcexel is down.

Snort is giving no alerts and i wonder if anyone has any idea ...........?


Here are the details:  (this content is also in the attached PC text file: 
TCP_2000-1334.ids)
Example summary output from SNORT:
-----------------------------------------------------------

	11/16-18:41:03.618808 8:0:20:B:F4:B0 -> 0:0:E8:D6:8F:39 type:0x800 len:0x3C
	192.168.21.92:2000 -> 195.220.25.73:1334 TCP TTL:63 TOS:0x0 ID:22 IpLen:20 
DgmLen:40
	***AP*** Seq: 0x1796587  Ack: 0x14119FF  Win: 0x100  TcpLen: 20

	=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

	11/16-18:41:03.618973 0:0:E8:D6:8F:39 -> 8:0:20:B:F4:B0 type:0x800 len:0x3C
	195.220.25.73:1334 -> 192.168.21.92:2000 TCP TTL:128 TOS:0x0 ID:22247 
IpLen:20 DgmLen:40
	*****R** Seq: 0x14119FF  Ack: 0xAB930C9F  Win: 0x0  TcpLen: 20

	=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

	11/16-18:41:03.619822 8:0:20:B:F4:B0 -> 0:0:E8:D6:8F:39 type:0x800 len:0x3C
	192.168.21.92:2000 -> 195.220.25.73:1334 TCP TTL:63 TOS:0x0 ID:23 IpLen:20 
DgmLen:40
	***AP*** Seq: 0x1796587  Ack: 0x14119FF  Win: 0x100  TcpLen: 20

	=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

	11/16-18:41:03.619997 0:0:E8:D6:8F:39 -> 8:0:20:B:F4:B0 type:0x800 len:0x3C
	195.220.25.73:1334 -> 192.168.21.92:2000 TCP TTL:128 TOS:0x0 ID:22503 
IpLen:20 DgmLen:40
	*****R** Seq: 0x14119FF  Ack: 0xAB930C9F  Win: 0x0  TcpLen: 20


Example summary output from Ethereal:   2000 packets/sec!!!
------------------------------------------------------------
     No. Time        Source                Destination           Protocol Info
       1 0.000000    pcexel.ensieg.inpg.fr xyplex-ensiegd.ensieg.inpg.fr 
TCP      1334 > 2000 [RST] Seq=21043711 Ack=3183216307 Win=0 Len=0
       2 0.000884    xyplex-ensiegd.ensieg.inpg.fr pcexel.ensieg.inpg.fr 
TCP      2000 > 1334 [PSH, ACK] Seq=24733063 Ack=21043711 Win=256 Len=0
       3 0.001039    pcexel.ensieg.inpg.fr xyplex-ensiegd.ensieg.inpg.fr 
TCP      1334 > 2000 [RST] Seq=21043711 Ack=3183216307 Win=0 Len=0
       4 0.001924    xyplex-ensiegd.ensieg.inpg.fr pcexel.ensieg.inpg.fr 
TCP      2000 > 1334 [PSH, ACK] Seq=24733063 Ack=21043711 Win=256 Len=0
       5 0.002083    pcexel.ensieg.inpg.fr xyplex-ensiegd.ensieg.inpg.fr 
TCP      1334 > 2000 [RST] Seq=21043711 Ack=3183216307 Win=0 Len=0
       6 0.002984    xyplex-ensiegd.ensieg.inpg.fr pcexel.ensieg.inpg.fr 
TCP      2000 > 1334 [PSH, ACK] Seq=24733063 Ack=21043711 Win=256 Len=0
       7 0.003126    pcexel.ensieg.inpg.fr xyplex-ensiegd.ensieg.inpg.fr 
TCP      1334 > 2000 [RST] Seq=21043711 Ack=3183216307 Win=0 Len=0
       8 0.004017    xyplex-ensiegd.ensieg.inpg.fr pcexel.ensieg.inpg.fr 
TCP      2000 > 1334 [PSH, ACK] Seq=24733063 Ack=21043711 Win=256 Len=0
       9 0.004160    pcexel.ensieg.inpg.fr xyplex-ensiegd.ensieg.inpg.fr 
TCP      1334 > 2000 [RST] Seq=21043711 Ack=3183216307 Win=0 Len=0
      10 0.005021    xyplex-ensiegd.ensieg.inpg.fr pcexel.ensieg.inpg.fr 
TCP      2000 > 1334 [PSH, ACK] Seq=24733063 Ack=21043711 Win=256 Len=0


Example detailed output from Ethereal:
------------------------------------------------------------
Frame 1 (60 on wire, 60 captured)
     Arrival Time: Nov 15, 2001 16:17:35.550155000
     Time delta from previous packet: 0.000000000 seconds
     Time relative to first packet: 0.000000000 seconds
     Frame Number: 1
     Packet Length: 60 bytes
     Capture Length: 60 bytes
Ethernet II
     Destination: 08:00:20:0b:f4:b0 (aida.ensieg.inpg.fr)
     Source: 00:00:e8:d6:8f:39 (Accton_d6:8f:39)
     Type: IP (0x0800)
     Trailer: 202020202000
Internet Protocol, Src Addr: pcexel.ensieg.inpg.fr (195.220.25.73), Dst 
Addr: xyplex-ensiegd.ensieg.inpg.fr (192.168.21.92)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 40
     Identification: 0x4392
     Flags: 0x00
         .0.. = Don't fragment: Not set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 128
     Protocol: TCP (0x06)
     Header checksum: 0x4414 (correct)
     Source: pcexel.ensieg.inpg.fr (195.220.25.73)
     Destination: xyplex-ensiegd.ensieg.inpg.fr (192.168.21.92)
Transmission Control Protocol, Src Port: 1334 (1334), Dst Port: 2000 
(2000), Seq: 21043711, Ack: 3183216307
     Source port: 1334 (1334)
     Destination port: 2000 (2000)
     Sequence number: 21043711
     Header length: 20 bytes
     Flags: 0x0004 (RST)
         0... .... = Congestion Window Reduced (CWR): Not set
         .0.. .... = ECN-Echo: Not set
         ..0. .... = Urgent: Not set
         ...0 .... = Acknowledgment: Not set
         .... 0... = Push: Not set
         .... .1.. = Reset: Set
         .... ..0. = Syn: Not set
         .... ...0 = Fin: Not set
     Window size: 0
     Checksum: 0x1001 (correct)

Frame 2 (60 on wire, 60 captured)
     Arrival Time: Nov 15, 2001 16:17:35.551039000
     Time delta from previous packet: 0.000884000 seconds
     Time relative to first packet: 0.000884000 seconds
     Frame Number: 2
     Packet Length: 60 bytes
     Capture Length: 60 bytes
Ethernet II
     Destination: 00:00:e8:d6:8f:39 (Accton_d6:8f:39)
     Source: 08:00:20:0b:f4:b0 (aida.ensieg.inpg.fr)
     Type: IP (0x0800)
     Trailer: 202020202000
Internet Protocol, Src Addr: xyplex-ensiegd.ensieg.inpg.fr (192.168.21.92), 
Dst Addr: pcexel.ensieg.inpg.fr (195.220.25.73)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 40
     Identification: 0x00d7
     Flags: 0x00
         .0.. = Don't fragment: Not set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 63
     Protocol: TCP (0x06)
     Header checksum: 0xc7cf (correct)
     Source: xyplex-ensiegd.ensieg.inpg.fr (192.168.21.92)
     Destination: pcexel.ensieg.inpg.fr (195.220.25.73)
Transmission Control Protocol, Src Port: 2000 (2000), Dst Port: 1334 
(1334), Seq: 24733063, Ack: 21043711
     Source port: 2000 (2000)
     Destination port: 1334 (1334)
     Sequence number: 24733063
     Acknowledgement number: 21043711
     Header length: 20 bytes
     Flags: 0x0018 (PSH, ACK)
         0... .... = Congestion Window Reduced (CWR): Not set
         .0.. .... = ECN-Echo: Not set
         ..0. .... = Urgent: Not set
         ...1 .... = Acknowledgment: Set
         .... 1... = Push: Set
         .... .0.. = Reset: Not set
         .... ..0. = Syn: Not set
         .... ...0 = Fin: Not set
     Window size: 256
     Checksum: 0x6c5c (correct)


-------------- next part --------------


-- 16 nov 2001:


Example summary output from SNORT:
------------------------------------

	11/16-18:41:03.618808 8:0:20:B:F4:B0 -> 0:0:E8:D6:8F:39 type:0x800 len:0x3C
	192.168.21.92:2000 -> 195.220.25.73:1334 TCP TTL:63 TOS:0x0 ID:22 IpLen:20 DgmLen:40
	***AP*** Seq: 0x1796587  Ack: 0x14119FF  Win: 0x100  TcpLen: 20

	=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

	11/16-18:41:03.618973 0:0:E8:D6:8F:39 -> 8:0:20:B:F4:B0 type:0x800 len:0x3C
	195.220.25.73:1334 -> 192.168.21.92:2000 TCP TTL:128 TOS:0x0 ID:22247 IpLen:20 DgmLen:40
	*****R** Seq: 0x14119FF  Ack: 0xAB930C9F  Win: 0x0  TcpLen: 20

	=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

	11/16-18:41:03.619822 8:0:20:B:F4:B0 -> 0:0:E8:D6:8F:39 type:0x800 len:0x3C
	192.168.21.92:2000 -> 195.220.25.73:1334 TCP TTL:63 TOS:0x0 ID:23 IpLen:20 DgmLen:40
	***AP*** Seq: 0x1796587  Ack: 0x14119FF  Win: 0x100  TcpLen: 20

	=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

	11/16-18:41:03.619997 0:0:E8:D6:8F:39 -> 8:0:20:B:F4:B0 type:0x800 len:0x3C
	195.220.25.73:1334 -> 192.168.21.92:2000 TCP TTL:128 TOS:0x0 ID:22503 IpLen:20 DgmLen:40
	*****R** Seq: 0x14119FF  Ack: 0xAB930C9F  Win: 0x0  TcpLen: 20


Example summary output from Ethereal:   2000 packets/sec!!!
------------------------------------
    No. Time        Source                Destination           Protocol Info
      1 0.000000    pcexel.ensieg.inpg.fr xyplex-ensiegd.ensieg.inpg.fr TCP      1334 > 2000 [RST] Seq=21043711 Ack=3183216307 Win=0 Len=0
      2 0.000884    xyplex-ensiegd.ensieg.inpg.fr pcexel.ensieg.inpg.fr TCP      2000 > 1334 [PSH, ACK] Seq=24733063 Ack=21043711 Win=256 Len=0
      3 0.001039    pcexel.ensieg.inpg.fr xyplex-ensiegd.ensieg.inpg.fr TCP      1334 > 2000 [RST] Seq=21043711 Ack=3183216307 Win=0 Len=0
      4 0.001924    xyplex-ensiegd.ensieg.inpg.fr pcexel.ensieg.inpg.fr TCP      2000 > 1334 [PSH, ACK] Seq=24733063 Ack=21043711 Win=256 Len=0
      5 0.002083    pcexel.ensieg.inpg.fr xyplex-ensiegd.ensieg.inpg.fr TCP      1334 > 2000 [RST] Seq=21043711 Ack=3183216307 Win=0 Len=0
      6 0.002984    xyplex-ensiegd.ensieg.inpg.fr pcexel.ensieg.inpg.fr TCP      2000 > 1334 [PSH, ACK] Seq=24733063 Ack=21043711 Win=256 Len=0
      7 0.003126    pcexel.ensieg.inpg.fr xyplex-ensiegd.ensieg.inpg.fr TCP      1334 > 2000 [RST] Seq=21043711 Ack=3183216307 Win=0 Len=0
      8 0.004017    xyplex-ensiegd.ensieg.inpg.fr pcexel.ensieg.inpg.fr TCP      2000 > 1334 [PSH, ACK] Seq=24733063 Ack=21043711 Win=256 Len=0
      9 0.004160    pcexel.ensieg.inpg.fr xyplex-ensiegd.ensieg.inpg.fr TCP      1334 > 2000 [RST] Seq=21043711 Ack=3183216307 Win=0 Len=0
     10 0.005021    xyplex-ensiegd.ensieg.inpg.fr pcexel.ensieg.inpg.fr TCP      2000 > 1334 [PSH, ACK] Seq=24733063 Ack=21043711 Win=256 Len=0


Example detailed output from Ethereal:
------------------------------------
Frame 1 (60 on wire, 60 captured)
    Arrival Time: Nov 15, 2001 16:17:35.550155000
    Time delta from previous packet: 0.000000000 seconds
    Time relative to first packet: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 60 bytes
    Capture Length: 60 bytes
Ethernet II
    Destination: 08:00:20:0b:f4:b0 (aida.ensieg.inpg.fr)
    Source: 00:00:e8:d6:8f:39 (Accton_d6:8f:39)
    Type: IP (0x0800)
    Trailer: 202020202000
Internet Protocol, Src Addr: pcexel.ensieg.inpg.fr (195.220.25.73), Dst Addr: xyplex-ensiegd.ensieg.inpg.fr (192.168.21.92)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0x4392
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x4414 (correct)
    Source: pcexel.ensieg.inpg.fr (195.220.25.73)
    Destination: xyplex-ensiegd.ensieg.inpg.fr (192.168.21.92)
Transmission Control Protocol, Src Port: 1334 (1334), Dst Port: 2000 (2000), Seq: 21043711, Ack: 3183216307
    Source port: 1334 (1334)
    Destination port: 2000 (2000)
    Sequence number: 21043711
    Header length: 20 bytes
    Flags: 0x0004 (RST)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .1.. = Reset: Set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 0
    Checksum: 0x1001 (correct)

Frame 2 (60 on wire, 60 captured)
    Arrival Time: Nov 15, 2001 16:17:35.551039000
    Time delta from previous packet: 0.000884000 seconds
    Time relative to first packet: 0.000884000 seconds
    Frame Number: 2
    Packet Length: 60 bytes
    Capture Length: 60 bytes
Ethernet II
    Destination: 00:00:e8:d6:8f:39 (Accton_d6:8f:39)
    Source: 08:00:20:0b:f4:b0 (aida.ensieg.inpg.fr)
    Type: IP (0x0800)
    Trailer: 202020202000
Internet Protocol, Src Addr: xyplex-ensiegd.ensieg.inpg.fr (192.168.21.92), Dst Addr: pcexel.ensieg.inpg.fr (195.220.25.73)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0x00d7
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 63
    Protocol: TCP (0x06)
    Header checksum: 0xc7cf (correct)
    Source: xyplex-ensiegd.ensieg.inpg.fr (192.168.21.92)
    Destination: pcexel.ensieg.inpg.fr (195.220.25.73)
Transmission Control Protocol, Src Port: 2000 (2000), Dst Port: 1334 (1334), Seq: 24733063, Ack: 21043711
    Source port: 2000 (2000)
    Destination port: 1334 (1334)
    Sequence number: 24733063
    Acknowledgement number: 21043711
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 256
    Checksum: 0x6c5c (correct)
-------------- next part --------------
____________________________________________________
  M. Matija Exel
  E.N.S.I.E.G., Service  R?seau / Lab. Automatique de Grenoble
  BP.  46 Cedex,  38402 St.Martin d'Heres,  FRANCE
  Tel : (+33) 4 76 82 71 12          Fax:(+33) 4 76 82 63 88
  Matija.Exel at ...4104...,  Matija.Exel at ...4103...
  http://www-exel.ensieg.inpg.fr/


More information about the Snort-users mailing list