Fw: [Snort-users] UDP 1434

jai jai.s at ...6716...
Sat Jan 25 09:15:04 EST 2003


 Hi,

 Internet traffic of  INDIA's and ASIA's network has been effected
 badly.....its amazing....seriously microsoft sucks.. but its fun !! :-)

 Well i found something new in this ... i think this worm spoofs IP address
 according ....below is the tcpdump output ..out which the host is
 ....169.254.198.47. sending repeated packets to different
network...but...169.254.198.47..is not our
 network....after matching th MAC address > ..it was orginating ...from our
IP i.e 202.71.129.197..
 tcpdump output :

 20:56:28.016820 0:2:b3:2f:a4:95 1:0:5e:2d:b2:12 ip 418:
169.254.198.47.4041>
 224.173.178.1
 8.ms-sql-m:  udp 376 [ttl 1]
                          4500 0194 8e94 0000 0111 26d7 a9fe c62f
                          e0ad b212 0fc9 059a 0180 2294 0401 0101
                          0101 0101 0101 0101 0101 0101 0101 0101
                          0101 0101 0101 0101 0101 0101 0101 0101
                          0101 0101 0101 0101 0101 0101 0101 0101
                          0101
 20:56:28.016820 0:2:b3:2f:a4:95 1:0:5e:58:ed:71 ip 418:
169.254.198.47.4041>
 reserved-mult icast-range-NOT-delegated.example.com.ms-sql-m:  udp 376 [ttl
1]
                          4500 0194 8e95 0000 0111 e5cb a9fe c62f
                          e658 ed71 0fc9 059a 0180 e189 0401 0101
                          0101 0101 0101 0101 0101 0101 0101 0101
                          0101 0101 0101 0101 0101 0101 0101 0101
                          0101 0101 0101 0101 0101 0101 0101 0101


 Router the MAC address ..
 Internet  202.71.129.197        157   0002.b32f.a495  ARPAFastEthernet6/0

 I am running snort ...but it didn't detect....


 Rgds
 Jai

>
>
>
>
>
>
> >
>
http://forums.military.com/1/OpenTopic?a=tpc&s=78919038&f=409192893&m=455198
> 2416
> >
> > http://slashdot.org/articles/03/01/25/1245206.shtml?tid=109
> >
> >
> > On Sat, 2003-01-25 at 06:49, jai wrote:
> > > Hi,
> > >
> > >
> > > I am getting very high traffic on UDP 1434 ....
> > >
> > > wht might be the problem
> > >
> > > Rgds
> > > Jai
> >
> >
> >
>
> ----- Original Message -----
> From: Paul Marcus <paulmarcus at ...468...>
> To: jai <jai.s at ...6716...>
> Cc: <Â snort-users at lists.sourceforge.net>
> Sent: Saturday, January 25, 2003 8:20 PM
> Subject: Re: [Snort-users] UDP 1434
>
>
> >
>
http://forums.military.com/1/OpenTopic?a=tpc&s=78919038&f=409192893&m=455198
> 2416
> >
> > http://slashdot.org/articles/03/01/25/1245206.shtml?tid=109
> >
> >
> > On Sat, 2003-01-25 at 06:49, jai wrote:
> > > Hi,
> > >
> > >
> > > I am getting very high traffic on UDP 1434 ....
> > >
> > > wht might be the problem
> > >
> > > Rgds
> > > Jai
> >
> >
> >
>





More information about the Snort-users mailing list