SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet

Matt Kettler mkettler at ...4108...
Tue Jan 15 13:41:20 EST 2002


Yes, what you say is true, but if you scroll down, not only are they 
invalid DNS packets, they are also TCP syn packets to port 53 which contain 
data.

------------------------------------
digging deeper, it appears they are also using TCP:

20:30:15.070616 172.20.78.202.3000 > dns-server.53: S
1839760761:1839760825(64) win 2048
aaaa 0300 0000 0800 4500 0068 7985 0000
f406 9cb9 ac14 4eca c0a8 1004 0bb8 0035
6da8 8579 0000 0000 5002 0800 f842 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
-------------------------------


At 12:26 PM 1/15/2002 -0800, Dan Hollis wrote:
>On Tue, 15 Jan 2002, Austad, Jay wrote:
> > Here's a description of the probe from the help provided in the
> > configuration interface for the 3dns units:
> > DNS_DOT (DNS Dot)
> > [...]
> > DNS_REV (Reverse IP address lookup)
> > [...]
>
>The mysterious malformed packets described in incidents are neither of
>these.
>
>The f5 seems to be sending malformed DNS packets, and the DNS servers are
>responding (correctly) with a format error.
>
>Is this a bug or intentional on behalf of f5?
>
>-Dan
>--
>[-] Omae no subete no kichi wa ore no mono da. [-]





More information about the Snort-users mailing list