[Snort-users] Calling all packet monkeys

Briggs, Bruce Bruce.Briggs at ...13183...
Tue Mar 22 17:57:35 EST 2005


Or someone brought in a laptop/foreign PC or a wireless device/wireless
PC which had a static IP addr from outside your organization. 

Bruce
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Paul
Schmehl
Sent: Tuesday, March 22, 2005 5:22 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Calling all packet monkeys

Setting aside the fact that we have a default deny policy on inbound
traffic and the fact that I have confirmed that we *explicitly* do not
allow traffic to port 161 (snmp), I am seeing some really strange
traffic.

The alert being tripped is:
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp";
flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089;
reference:bugtraq,4132; reference:cve,2002-0012;
reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:11;)

src host is a foreign address
src port is 135 ?!?!
dst host is an RFC1918 address
dst port is 161

Every one of the 38 packets has the ACK and RST flags set.

Payload is:
length = 20

000 : 00 00 00 00 50 10 02 00 00 00 00 00 00 00 00 00   ....P...........
010 : 00 00 00 00                                       ....

Anyone have any idea what this might be?

(much less how it could happen?)  I can only think of two possibilities;
either a NAT address that's "opened a hole" or a spoofed src host.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application
Contest Submit applications for Windows Mobile(tm)-based Pocket PCs or
Smartphones for the chance to win $25,000 and application distribution.
Enter today at http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list