[Snort-users] BAD TRAFFIC data in TCP SYN packet

Martin Roesch roesch at ...1935...
Mon Jan 14 10:51:02 EST 2002


Generally speaking, you're not supposed to send application data in the
SYN packet (it's bad form to send application layer data before the
connection is even established), that's what this alert is firing on. 
It's probably just a bad stack implementation.

     -Marty

Matt Kettler wrote:
> 
> Well, the port 29291 is just a random local port.. This is a syn packet
> remember, so the service being used is on destination end, and is port 53
> (dns).
> 
> so, 207.46.106.84 has decided that 172.40.20.235 might be a dns server, and
> has attempted to connect to it via TCP (it is unusual, but legal for a DNS
> server to be contacted via tcp instead of UDP).
> 
> I've seen some similar traffic myself from a pair of DNS servers directed
> at the local DNS server here.. the TCP syn packets contain several bytes of
> data which are all 00's. It is strange (AFAIK it is not legal to send data
> with a syn packet.. you haven't negotiated a connection yet), but it
> appears to be an artifact of a buggy tcp/ip implementation.. Or who knows,
> it may be an artifact of some obscure, buggy worm  or scanning tool that
> looks at DNS servers and uses raw sockets instead of the local TCP/IP
> stack. Even if it is from some obscure hacking tool, the syn packets
> themselves appear harmless.
> 
> At 07:39 AM 1/14/2002 +0100, you wrote:
> >Hi!
> >
> >I get a lot of
> >
> >01/14-02:24:17.089098  [**] [1:526:3] BAD TRAFFIC data in TCP SYN packet
> >[**] [Classification: Misc activity] [Priority: 3] {TCP} 207.46.106.84:29291
> >-> 172.40.20.235:53
> >
> >172.40.20.235 is my DNS server, but why would clients put data in the syn
> >packets? According to RIPE, the source address is "ALLOCATED UNSPECIFIED",
> >so I can't find out who's doing this. It comes from a limited number of
> >addresses, they all seem to be 207.xx.xxx.xxx.
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list