[Snort-users] Another Not IPv4 Datagram

Mike Maki mmaki at ...4723...
Wed Dec 17 15:26:03 EST 2003


I've found one of my OpenBSD 3.3 Samba file servers is broadcasting a bogus
packet every 12 minutes (Header length: 0 bytes). It looks to me like 
an NT browser election request or response. Snort alerts it as
"Not IPv4 datagram!" Is the packet actually malformed?
My other OBSD Samba servers don't do
this. The full packet is below. Thanks for any ideas.

Mike

Frame 4 (264 bytes on wire, 264 bytes captured)
    Packet Length: 264 bytes
    Capture Length: 264 bytes
Ethernet II, Src: 00:30:6e:11:b1:73, Dst: ff:ff:ff:ff:ff:ff
    Destination: ff:ff:ff:ff:ff:ff (Broadcast)
    Source: 00:30:6e:11:b1:73 (HewlettP_11:b1:73)
    Type: IP (0x0800)
Internet Protocol
    Version: 0
    Header length: 0 bytes (bogus, must be at least 20)

0000  ff ff ff ff ff ff 00 30 6e 11 b1 73 08 00 00 00   .......0n..s....
0010  00 00 00 00 00 00 00 11 00 e6 a5 53 4e 0c a5 53   ...........SN..S
0020  4e 7f 00 8a 00 8a 00 e6 00 00 11 0a 19 28 a5 53   N............(.S
0030  4e 0c 00 8a 00 d0 00 00 20 45 4a 45 4f 46 41 46   N....... EJEOFAF
0040  44 45 42 45 4e 45 50 43 4e 45 49 46 42 45 48 45   DEBENEPCNEIFBEHE
0050  4a 46 44 44 42 43 41 41 41 00 20 46 44 45 42 45   JFDDBCAAA. FDEBE
0060  4e 45 50 45 49 46 42 43 41 43 41 43 41 43 41 43   NEPEIFBCACACACAC
0070  41 43 41 43 41 43 41 43 41 42 4e 00 ff 53 4d 42   ACACACACABN..SMB
0080  25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   %...............
0090  00 00 00 00 00 00 00 00 00 00 00 00 11 00 00 36   ...............6
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 36 00 56 00 03 00 01 00 01 00 02 00 47   ...6.V.........G
00c0  00 5c 4d 41 49 4c 53 4c 4f 54 5c 42 52 4f 57 53   .\MAILSLOT\BROWS
00d0  45 00 01 3a 80 fc 0a 00 49 4e 50 53 41 4d 4f 2d   E..:....INPSAMO-
00e0  48 51 47 49 53 31 00 00 04 09 03 9b 00 00 0f 01   HQGIS1..........
00f0  55 aa 47 49 53 20 53 61 6d 62 61 20 46 69 6c 65   U.GIS Samba File
0100  20 53 65 72 76 65 72 00                            Server.




More information about the Snort-users mailing list