[Snort-users] MISC Tiny Fragments

Noller, Gregory Noller2G at ...4290...
Wed Jan 16 08:25:12 EST 2002


Here is a tcpdump capture of something that is firing my MISC Tiny Fragments
rule.

Every 40 minutes I get three fragments.  Two different SRC addresses (not
obfuscated). Target is my Raptor firewall.

I have been unable to identify why or what this is....any help would be
appreciated.

09:45:24.719745 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 90: 210.150.45.253 >
firewall.mynet.com: (frag 6719:56 at ...184...)
0x0000	 4500 004c 1a3f 0001 3401 580e d296 2dfd	E..L.?..4.X...-.
0x0010	 92d1 80fe 0000 0000 0000 0000 0000 0000	................
0x0020	 0000 0000 0000 0000 fc9f 453c 2f2b 0400	..........E</+..
0x0030	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0040	 0000 0000 0000 0000 0000 0000          	............
09:45:24.719745 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 60: 210.150.45.253 >
firewall.mynet.com: icmp: echo request (frag 6719:8 at ...183...+)
0x0000	 4500 001c 1a3f 2000 3401 383f d296 2dfd	E....?..4.8?..-.
0x0010	 92d1 80fe 0800 67b9 1a3f 0100 0000 0000	......g..?......
0x0020	 0000 0000 0000 0000 0000 0000 0000     	..............
09:45:24.719745 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 90: 210.150.45.253 >
firewall.mynet.com: (frag 6719:56 at ...184...)
0x0000	 4500 004c 1a3f 0001 3401 580e d296 2dfd	E..L.?..4.X...-.
0x0010	 92d1 80fe 0000 0000 0000 0000 0000 0000	................
0x0020	 0000 0000 0000 0000 fc9f 453c 602b 0400	..........E<`+..
0x0030	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0040	 0000 0000 0000 0000 0000 0000          	............
09:45:24.719745 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 60: 210.150.45.253 >
firewall.mynet.com: icmp: echo request (frag 6719:8 at ...183...+)
0x0000	 4500 001c 1a3f 2000 3401 383f d296 2dfd	E....?..4.8?..-.
0x0010	 92d1 80fe 0800 35b9 1a3f 0200 0000 0000	......5..?......
0x0020	 0000 0000 0000 0000 0000 0000 0000     	..............
09:45:24.719745 8:0:20:79:5a:87 0:0:c:7:ac:a ip 98: firewall.mynet.com >
210.150.45.253: icmp: echo reply (DF)
0x0000	 4500 0054 8593 4000 ff01 e1b1 92d1 80fe	E..T.. at ...4589...
0x0010	 d296 2dfd 0000 6fb9 1a3f 0100 0000 0000	..-...o..?......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0040	 0000 fc9f 453c 2f2b 0400 0000 0000 0000	....E</+........
0x0050	 0000                                   	..
09:45:24.719745 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 90: 210.150.45.253 >
firewall.mynet.com: (frag 6719:56 at ...184...)
0x0000	 4500 004c 1a3f 0001 3401 580e d296 2dfd	E..L.?..4.X...-.
0x0010	 92d1 80fe 0000 0000 0000 0000 0000 0000	................
0x0020	 0000 0000 0000 0000 fc9f 453c 772b 0400	..........E<w+..
0x0030	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0040	 0000 0000 0000 0000 0000 0000          	............
09:45:24.719745 8:0:20:79:5a:87 0:0:c:7:ac:a ip 98: firewall.mynet.com >
210.150.45.253: icmp: echo reply (DF)
0x0000	 4500 0054 8594 4000 ff01 e1b0 92d1 80fe	E..T.. at ...4589...
0x0010	 d296 2dfd 0000 3db9 1a3f 0200 0000 0000	..-...=..?......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0040	 0000 fc9f 453c 602b 0400 0000 0000 0000	....E<`+........
0x0050	 0000                                   	..
09:45:24.719745 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 60: 210.150.45.253 >
firewall.mynet.com: icmp: echo request (frag 6719:8 at ...183...+)
0x0000	 4500 001c 1a3f 2000 3401 383f d296 2dfd	E....?..4.8?..-.
0x0010	 92d1 80fe 0800 1db9 1a3f 0300 0000 0000	.........?......
0x0020	 0000 0000 0000 0000 0000 0000 0000     	..............
09:45:24.719745 8:0:20:79:5a:87 0:0:c:7:ac:a ip 98: firewall.mynet.com >
210.150.45.253: icmp: echo reply (DF)
0x0000	 4500 0054 8595 4000 ff01 e1af 92d1 80fe	E..T.. at ...4589...
0x0010	 d296 2dfd 0000 25b9 1a3f 0300 0000 0000	..-...%..?......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0040	 0000 fc9f 453c 772b 0400 0000 0000 0000	....E<w+........
0x0050	 0000                                   	..
09:45:29.679855 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 98: 210.150.45.253 >
firewall.mynet.com: icmp: echo request
0x0000	 4500 0054 1a3f 0000 3401 5807 d296 2dfd	E..T.?..4.X...-.
0x0010	 92d1 80fe 0800 b6d9 1a3f 0100 0000 0000	.........?......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 01a0 453c db0a 0400 0000 0000 0000 0000	..E<............
0x0040	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0050	 0000                                   	..
09:45:29.679855 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 98: 210.150.45.253 >
firewall.mynet.com: icmp: echo request
0x0000	 4500 0054 1a3f 0000 3401 5807 d296 2dfd	E..T.?..4.X...-.
0x0010	 92d1 80fe 0800 a0d9 1a3f 0200 0000 0000	.........?......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 01a0 453c f00a 0400 0000 0000 0000 0000	..E<............
0x0040	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0050	 0000                                   	..
09:45:29.679855 8:0:20:79:5a:87 0:0:c:7:ac:a ip 98: firewall.mynet.com >
210.150.45.253: icmp: echo reply (DF)
0x0000	 4500 0054 8596 4000 ff01 e1ae 92d1 80fe	E..T.. at ...4589...
0x0010	 d296 2dfd 0000 bed9 1a3f 0100 0000 0000	..-......?......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 01a0 453c db0a 0400 0000 0000 0000 0000	..E<............
0x0040	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0050	 0000                                   	..
09:45:29.679855 8:0:20:79:5a:87 0:0:c:7:ac:a ip 98: firewall.mynet.com >
210.150.45.253: icmp: echo reply (DF)
0x0000	 4500 0054 8597 4000 ff01 e1ad 92d1 80fe	E..T.. at ...4589...
0x0010	 d296 2dfd 0000 a8d9 1a3f 0200 0000 0000	..-......?......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 01a0 453c f00a 0400 0000 0000 0000 0000	..E<............
0x0040	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0050	 0000                                   	..
09:45:29.679855 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 98: 210.150.45.253 >
firewall.mynet.com: icmp: echo request
0x0000	 4500 0054 1a3f 0000 3401 5807 d296 2dfd	E..T.?..4.X...-.
0x0010	 92d1 80fe 0800 92d9 1a3f 0300 0000 0000	.........?......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 01a0 453c fd0a 0400 0000 0000 0000 0000	..E<............
0x0040	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0050	 0000                                   	..
09:45:29.679855 8:0:20:79:5a:87 0:0:c:7:ac:a ip 98: firewall.mynet.com >
210.150.45.253: icmp: echo reply (DF)
0x0000	 4500 0054 8598 4000 ff01 e1ac 92d1 80fe	E..T.. at ...4589...
0x0010	 d296 2dfd 0000 9ad9 1a3f 0300 0000 0000	..-......?......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 01a0 453c fd0a 0400 0000 0000 0000 0000	..E<............
0x0040	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0050	 0000                                   	..
09:47:31.162567 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 90: 211.13.231.126 >
firewall.mynet.com: (frag 14167:56 at ...184...)
0x0000	 4500 004c 3757 0001 3201 82fd d30d e77e	E..L7W..2......~
0x0010	 92d1 80fe 0000 0000 0000 0000 0000 0000	................
0x0020	 0000 0000 0000 0000 7aa0 453c c9eb 0a00	........z.E<....
0x0030	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0040	 0000 0000 0000 0000 0000 0000          	............
09:47:31.162567 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 60: 211.13.231.126 >
firewall.mynet.com: icmp: echo request (frag 14167:8 at ...183...+)
0x0000	 4500 001c 3757 2000 3201 632e d30d e77e	E...7W..2.c....~
0x0010	 92d1 80fe 0800 2be0 3757 0100 0000 0000	......+.7W......
0x0020	 0000 0000 0000 0000 0000 0000 0000     	..............
09:47:31.162567 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 90: 211.13.231.126 >
firewall.mynet.com: (frag 14167:56 at ...184...)
0x0000	 4500 004c 3757 0001 3201 82fd d30d e77e	E..L7W..2......~
0x0010	 92d1 80fe 0000 0000 0000 0000 0000 0000	................
0x0020	 0000 0000 0000 0000 7aa0 453c fbeb 0a00	........z.E<....
0x0030	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0040	 0000 0000 0000 0000 0000 0000          	............
09:47:31.162567 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 60: 211.13.231.126 >
firewall.mynet.com: icmp: echo request (frag 14167:8 at ...183...+)
0x0000	 4500 001c 3757 2000 3201 632e d30d e77e	E...7W..2.c....~
0x0010	 92d1 80fe 0800 f8df 3757 0200 0000 0000	........7W......
0x0020	 0000 0000 0000 0000 0000 0000 0000     	..............
09:47:31.162567 8:0:20:79:5a:87 0:0:c:7:ac:a ip 98: firewall.mynet.com >
211.13.231.126: icmp: echo reply (DF)
0x0000	 4500 0054 7371 4000 ff01 39db 92d1 80fe	E..Tsq at ...4590...
0x0010	 d30d e77e 0000 33e0 3757 0100 0000 0000	...~..3.7W......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0040	 0000 7aa0 453c c9eb 0a00 0000 0000 0000	..z.E<..........
0x0050	 0000                                   	..
09:47:31.162567 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 90: 211.13.231.126 >
firewall.mynet.com: (frag 14167:56 at ...184...)
0x0000	 4500 004c 3757 0001 3201 82fd d30d e77e	E..L7W..2......~
0x0010	 92d1 80fe 0000 0000 0000 0000 0000 0000	................
0x0020	 0000 0000 0000 0000 7aa0 453c 13ec 0a00	........z.E<....
0x0030	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0040	 0000 0000 0000 0000 0000 0000          	............
09:47:31.162567 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 60: 211.13.231.126 >
firewall.mynet.com: icmp: echo request (frag 14167:8 at ...183...+)
0x0000	 4500 001c 3757 2000 3201 632e d30d e77e	E...7W..2.c....~
0x0010	 92d1 80fe 0800 dfdf 3757 0300 0000 0000	........7W......
0x0020	 0000 0000 0000 0000 0000 0000 0000     	..............
09:47:31.162567 8:0:20:79:5a:87 0:0:c:7:ac:a ip 98: firewall.mynet.com >
211.13.231.126: icmp: echo reply (DF)
0x0000	 4500 0054 7372 4000 ff01 39da 92d1 80fe	E..Tsr at ...4590...
0x0010	 d30d e77e 0000 00e0 3757 0200 0000 0000	...~....7W......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0040	 0000 7aa0 453c fbeb 0a00 0000 0000 0000	..z.E<..........
0x0050	 0000                                   	..
09:47:31.162567 8:0:20:79:5a:87 0:0:c:7:ac:a ip 98: firewall.mynet.com >
211.13.231.126: icmp: echo reply (DF)
0x0000	 4500 0054 7373 4000 ff01 39d9 92d1 80fe	E..Tss at ...4590...
0x0010	 d30d e77e 0000 e7df 3757 0300 0000 0000	...~....7W......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0040	 0000 7aa0 453c 13ec 0a00 0000 0000 0000	..z.E<..........
0x0050	 0000                                   	..
09:47:36.202679 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 98: 211.13.231.126 >
firewall.mynet.com: icmp: echo request
0x0000	 4500 0054 3757 0000 3201 82f6 d30d e77e	E..T7W..2......~
0x0010	 92d1 80fe 0800 80e4 3757 0100 0000 0000	........7W......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 7fa0 453c 6fe7 0a00 0000 0000 0000 0000	..E<o...........
0x0040	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0050	 0000                                   	..
09:47:36.202679 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 98: 211.13.231.126 >
firewall.mynet.com: icmp: echo request
0x0000	 4500 0054 3757 0000 3201 82f6 d30d e77e	E..T7W..2......~
0x0010	 92d1 80fe 0800 6be4 3757 0200 0000 0000	......k.7W......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 7fa0 453c 83e7 0a00 0000 0000 0000 0000	..E<............
0x0040	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0050	 0000                                   	..
09:47:36.202679 0:3:fd:3c:14:8 8:0:20:79:5a:87 ip 98: 211.13.231.126 >
firewall.mynet.com: icmp: echo request
0x0000	 4500 0054 3757 0000 3201 82f6 d30d e77e	E..T7W..2......~
0x0010	 92d1 80fe 0800 5de4 3757 0300 0000 0000	......].7W......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 7fa0 453c 90e7 0a00 0000 0000 0000 0000	..E<............
0x0040	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0050	 0000                                   	..
09:47:36.202679 8:0:20:79:5a:87 0:0:c:7:ac:a ip 98: firewall.mynet.com >
211.13.231.126: icmp: echo reply (DF)
0x0000	 4500 0054 7374 4000 ff01 39d8 92d1 80fe	E..Tst at ...4590...
0x0010	 d30d e77e 0000 88e4 3757 0100 0000 0000	...~....7W......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 7fa0 453c 6fe7 0a00 0000 0000 0000 0000	..E<o...........
0x0040	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0050	 0000                                   	..
09:47:36.202679 8:0:20:79:5a:87 0:0:c:7:ac:a ip 98: firewall.mynet.com >
211.13.231.126: icmp: echo reply (DF)
0x0000	 4500 0054 7375 4000 ff01 39d7 92d1 80fe	E..Tsu at ...4590...
0x0010	 d30d e77e 0000 73e4 3757 0200 0000 0000	...~..s.7W......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 7fa0 453c 83e7 0a00 0000 0000 0000 0000	..E<............
0x0040	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0050	 0000                                   	..
09:47:36.202679 8:0:20:79:5a:87 0:0:c:7:ac:a ip 98: firewall.mynet.com >
211.13.231.126: icmp: echo reply (DF)
0x0000	 4500 0054 7376 4000 ff01 39d6 92d1 80fe	E..Tsv at ...4590...
0x0010	 d30d e77e 0000 65e4 3757 0300 0000 0000	...~..e.7W......
0x0020	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 7fa0 453c 90e7 0a00 0000 0000 0000 0000	..E<............
0x0040	 0000 0000 0000 0000 0000 0000 0000 0000	................
0x0050	 0000                                   	..







Gregory Noller
Senior IT Security Technologist
Technology Risk Services
Koch Business Solutions, LP
Wichita, Kansas
(316) 828-7725






More information about the Snort-users mailing list