[Snort-users] BAD TRAFFIC data in TCP SYN packet

Chris Keladis Chris.Keladis at ...2783...
Sun Jan 13 23:46:03 EST 2002


Lars Jørgensen IT wrote:


Hi Lars,

> I get a lot of
> 
> 01/14-02:24:17.089098  [**] [1:526:3] BAD TRAFFIC data in TCP SYN packet
> [**] [Classification: Misc activity] [Priority: 3] {TCP} 207.46.106.84:29291
> -> 172.40.20.235:53
> 
> 172.40.20.235 is my DNS server, but why would clients put data in the syn
> packets? According to RIPE, the source address is "ALLOCATED UNSPECIFIED",
> so I can't find out who's doing this. It comes from a limited number of
> addresses, they all seem to be 207.xx.xxx.xxx.
> 
> I tried Google, but to no avail. Can anybody shed some light on this?

I saw a bunch of these as well, today.

They reverse-resolve to *.windowsupdate.com

Unfortunately i havent taken a full dump of the conversation yet to see
if the conversation goes any further than the SYN or if they are just
spoofed SYNs.

There doesn't appear to be anything malicious in the payload, although
it could be a probe to fingerprint systems. (just a guess).

In any case it's something that shouldn't be there. Perhaps if someone
else logs the whole transaction we can gain further insight.




Regards,

Chris.




More information about the Snort-users mailing list