[Snort-users] BAD TRAFFIC bad frag bits, MISC Large UDP Packet and RPC portmap request bootparam

Todd Holloway todd at ...4574...
Wed Jan 23 11:53:18 EST 2002


I'm evaluating Demarc's PureSecure (w/ Snort Version 1.8.3 (Build 88)).

When a newly setup Solaris 2.8 Jumpstart server..."jumpstarts" a
machine. I get quite a few alerts (like 4000+ :). 

I see the "ERRs" below from tcpdump on (version 3.6, libpcap version 0.6) Linux,
but not from the tcpdump (same version of both) on the Solaris 2.8 server.

What's going on?
I'm guessing it's something different in tcp stack implementation, but I'm missing it.

have a happy mind,
todd

______________________________
SIGNATURE: RPC portmap request bootparam
SRC IP: 1.1.1.1
DST IP: 255.255.255.255
______________________________
SIGNATURE: BAD TRAFFIC bad frag bits
SRC IP: 1.1.1.2
DST IP: 1.1.1.1
______________________________
SIGNATURE: BAD TRAFFIC bad frag bits
SRC IP: 1.1.1.2
DST IP: 1.1.1.1
______________________________
SIGNATURE: BAD TRAFFIC bad frag bits
SRC IP: 1.1.1.2
DST IP: 1.1.1.1
______________________________
SIGNATURE: BAD TRAFFIC bad frag bits
SRC IP: 1.1.1.2
DST IP: 1.1.1.1
______________________________
SIGNATURE: BAD TRAFFIC bad frag bits
SRC IP: 1.1.1.2
DST IP: 1.1.1.1
______________________________
SIGNATURE: MISC Large UDP Packet
SRC IP: 1.1.1.2
DST IP: 1.1.1.1
______________________________
SIGNATURE: BAD TRAFFIC bad frag bits
SRC IP: 1.1.1.2
DST IP: 1.1.1.1
______________________________

11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.4214770757: reply ERR 1460 (DF) (ttl 64, id 63315, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.3153343559: reply ERR 1460 (DF) (ttl 64, id 63316, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.2822450691: reply ERR 1460 (DF) (ttl 64, id 63317, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.1934238373: reply ERR 1460 (DF) (ttl 64, id 63318, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.3244921369: reply ERR 1460 (DF) (ttl 64, id 63319, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.346190187: reply ERR 1460 (DF) (ttl 64, id 63320, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.1646961569: reply ERR 1460 (DF) (ttl 64, id 63321, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.2722629544: reply ERR 1460 (DF) (ttl 64, id 63322, len 1500)
11:33:20.085820 1.1.1.2.nfs > 1.1.1.1.2076031598: reply ERR 648 (DF) (ttl 64, id 63323, len 688)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.3296674272: reply ok 132 (DF) (ttl 64, id 63324, len 172)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.4131376078: reply ERR 1460 (DF) (ttl 64, id 63325, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.1764277460: reply ERR 1460 (DF) (ttl 64, id 63326, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.2785970758: reply ERR 1460 (DF) (ttl 64, id 63327, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.2715686601: reply ERR 1460 (DF) (ttl 64, id 63328, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.3324449566: reply ERR 1460 (DF) (ttl 64, id 63329, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.2863339656: reply ERR 1460 (DF) (ttl 64, id 63330, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.1277245857: reply ERR 1460 (DF) (ttl 64, id 63331, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.2002626110: reply ERR 1460 (DF) (ttl 64, id 63332, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.2634077603: reply ERR 1460 (DF) (ttl 64, id 63333, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.3985510588: reply ERR 1460 (DF) (ttl 64, id 63334, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.3851470169: reply ERR 1460 (DF) (ttl 64, id 63335, len 1500)
11:33:20.135822 1.1.1.2.nfs > 1.1.1.1.2215298473: reply ERR 116 (DF) (ttl 64, id 63336, len 156)
11:33:20.305831 1.1.1.2.nfs > 1.1.1.1.3296674273: reply ok 116 (DF) (ttl 64, id 63337, len 156)
11:33:21.325880 1.1.1.2.nfs > 1.1.1.1.3296674274: reply ok 116 (DF) (ttl 64, id 63338, len 156)
11:33:21.325880 1.1.1.2.nfs > 1.1.1.1.3296674275: reply ok 116 (DF) (ttl 64, id 63339, len 156)
11:33:21.335881 1.1.1.2.nfs > 1.1.1.1.3296674276: reply ok 116 (DF) (ttl 64, id 63340, len 156)
11:33:21.335881 1.1.1.2.nfs > 1.1.1.1.3296674277: reply ok 120 (DF) (ttl 64, id 63341, len 160)
11:33:21.345881 1.1.1.2.nfs > 1.1.1.1.3296674278: reply ok 244 (DF) (ttl 64, id 63342, len 284)
11:33:21.345881 1.1.1.2.nfs > 1.1.1.1.3296674279: reply ok 124 (DF) (ttl 64, id 63343, len 164)
11:33:21.345881 1.1.1.2.nfs > 1.1.1.1.3296674280: reply ok 124 (DF) (ttl 64, id 63344, len 164)
11:33:21.345881 1.1.1.2.nfs > 1.1.1.1.3296674281: reply ok 132 (DF) (ttl 64, id 63345, len 172)
11:33:21.345881 1.1.1.2.nfs > 1.1.1.1.1030975585: reply ERR 784 (DF) (ttl 64, id 63346, len 824)

-- 

-- 
"This UI has been brought to you by the letters 'S' and 'K', and the runlevel 3." 
						- Greg Andrews 




More information about the Snort-users mailing list