SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet

Austad, Jay austad at ...432...
Tue Jan 15 07:40:06 EST 2002


Here's a description of the probe from the help provided in the
configuration interface for the 3dns units:

==========================================
Probe Protocol Specifies which protocol the prober uses to probe LDNS
servers, and in what order the protocols are used.  (The box on the right
side lists the order in which the protocols are used.) 

Note:  If you select DNS_DOT or DNS_REV, a working DNS of some sort must be
running on the probed server.

TCP (Transmission Control Protocol)
This is the most common transport layer protocol used on Ethernet and
Internet.  TCP adds reliable communication, flow-control, multiplexing, and
connection-oriented communication.  It provides full-duplex,
process-to-process connections.   TCP is connection-oriented and
stream-oriented, unlike UDP.


DNS_DOT (DNS Dot)
This protocol is specific to the 3-DNS Controller.  The 3-DNS Controller
sends a DNS Message to the probe target LDNS querying for "." (a dot).  If
the LDNS is not blocking queries from unknown addresses, it answers with a
list of root name servers.  The 3-DNS Controller makes these requests only
to measure network latency and packet loss; it does not use the information
contained in the responses.


DNS_REV (Reverse IP address lookup)
This protocol is specific to the 3-DNS Controller.  The 3-DNS Controller
sends a DNS Message to the probe target LDNS querying for a record of class
IN, type PTR.  Most versions of DNS answer with a record containing their
fully-qualified domain name.  The 3-DNS Controller makes these requests only
to measure network latency and packet loss; it does not use the information
contained in the responses.
==========================================================

If the above methods fail, the prober will do an ICMP echo ping, or failing
that, will try a UDP Traceroute.  The probers can run both on 3dns units, or
their BigIP units (like Cisco's Local Director).  It definitely is quite
noisy, however, it is configurable.  You can disable any of the above
behavior, and also put in a list of ips or whole networks not to probe.

---------- 
Jay Austad 
Network Security Administrator 
CBS Marketwatch 
612.817.1271 
austad at ...432... <mailto:austad at ...432...>  
http://cbs.marketwatch.com 
http://www.bigcharts.com 




> -----Original Message-----
> From: Dan Hollis [mailto:goemon at ...20...] 
> Sent: Monday, January 14, 2002 4:57 PM
> To: Matt Kettler
> Cc: Lars Jørgensen IT; 'snort-users at lists.sourceforge.net'; 
> bugtraq at ...35...
> Subject: Re: SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet
> 
> 
> On Mon, 14 Jan 2002, Matt Kettler wrote:
> > Here's a very good analysis of the 3dns traffic and the 
> strange packets:
> > http://www.incidents.org/detect/3dns.php
> > some information on the 3dns product itself is at.
> > http://www.f5.com/f5products/3dns/index.html
> 
> Has anyone contacted f5 to ask them why they are sending malformed 
> packets?
> 
> Not that I really expect them to give a straight answer, but 
> it could be 
> enlightening...
> 
> -Dan
> -- 
> [-] Omae no subete no kichi wa ore no mono da. [-]
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list