[Snort-users] Calling all packet monkeys

Paul Schmehl pauls at ...6838...
Tue Mar 22 14:22:21 EST 2005


Setting aside the fact that we have a default deny policy on inbound 
traffic and the fact that I have confirmed that we *explicitly* do not 
allow traffic to port 161 (snmp), I am seeing some really strange traffic.

The alert being tripped is:
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp"; 
flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; 
reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; 
classtype:attempted-recon; sid:1418; rev:11;)

src host is a foreign address
src port is 135 ?!?!
dst host is an RFC1918 address
dst port is 161

Every one of the 38 packets has the ACK and RST flags set.

Payload is:
length = 20

000 : 00 00 00 00 50 10 02 00 00 00 00 00 00 00 00 00   ....P...........
010 : 00 00 00 00                                       ....

Anyone have any idea what this might be?

(much less how it could happen?)  I can only think of two possibilities; 
either a NAT address that's "opened a hole" or a spoofed src host.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list