[Snort-users] snort_decoder: Short UDP packet, length field > payload length

Bamm Visscher bamm.visscher at ...11827...
Tue Sep 12 17:55:00 EDT 2006


If I had to guess, I'd say you have a mangled IPSEC via UDP packet
(normally associated w/port 4500).  It'd be better if you had the
actual packet (and any others belonging to the session) captured.

Bammkkkk


On 9/12/06, Eric Hines <eric.hines at ...8860...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Has anyone seen this type of traffic before? Its a UDP Header Length >
> Payload Length alert but whats odd is the UDP Length is being reported
> as 4500 bytes! But the packet is actually quite small and you see its
> not a fragment. The Source and Destination ports concern me along with
> who owns that IP address. Is this possibly related to Oracle in any way?
> Has anyone who runs Oracle seen this packet before? The IP owner
> information is below as well.
>
> IP Header HEX removed for privacy.
>
> - ------------- packet --------------
>
> APPLIED WATCH EVENT INFORMATION:
> Alert ID: 6388082
> Priority: 3
> Timestamp: Tue Sep 12 10:22:46 CDT 2006
> Signature ID : 97
> Message: snort_decoder: Short UDP packet, length field > payload length
>
> IP HEADER INFORMATION:
> Ver: 4
> Length: 108
> Flags: 0
> Checksum: 25081
> Hlen: 5
> ID: 1
> TTL: 128
> Source IP: XXX.XXX.XXX.XXX
> TOS: 0
> Offset: 0
> Proto: 17
> Dest IP: 148.87.5.71
>
> UDP PROTOCOL INFORMATION:
> Source Port: 37892
> Destination Port: 0
> Length: 4500
> Checksum: 4500
>
> PAYLOAD INFORMATION:
> 9404 0000 1194 1194 0054 0000 250f d5a6         .G.........T..%...
> 0000 0001 ee99 1554 273f 6db9 d50e 330c 8ae3    .......T'?m...3...
> e1e8 7a9c 1720 53cc 692a dcf1 c68e e3cd 231b    ..z.. S.i*......#.
> 8699 782c 82b6 6573 ea9a ef43 2e19 9d62 5a14    ..x,..es...C...bZ.
> 6478 e43e 25b2 480e 1d4e e9c0 5787 ee1e fbfd    dx.>%.H..N..W.....
>
>
> 148.87.5.71 is owned by Oracle it seems:
> - -----------------------
> OrgName:    Oracle Datenbanksysteme GmbH
> OrgID:      ODG-3
> Address:    500 Oracle Pkwy
> City:       Redwood Shores
> StateProv:  CA
> PostalCode: 94065
> Country:    US
>
> NetRange:   148.87.0.0 - 148.87.255.255
> CIDR:       148.87.0.0/16
> NetName:    ORACLE-AT
> NetHandle:  NET-148-87-0-0-1
> Parent:     NET-148-0-0-0-0
> NetType:    Direct Assignment
> NameServer: NS1.ORACLE.COM
> NameServer: NS4.ORACLE.COM
> Comment:
> RegDate:    1991-04-11
> Updated:    2002-04-15
>
> RTechHandle: JKD7-ARIN
> RTechName:   Doyle, John K.
> RTechPhone:  +1-650-506-2380
> RTechEmail:  john.doyle at ...13925...
>
> - --
>
> Best Regards,
>
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
>
>
> - --------------------------------------------------
>
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
>
> - --------------------------------------------------
>
> Email:   eric.hines at ...8860...
> Address: 1095 Pingree Road
>          Suite 221
>          Crystal Lake, IL
>          60014
> Tel:     (877) 262-7593 ext:327
> Local:   (847) 854-5831
> Fax:     (847) 854-5106
> Web:     http://www.appliedwatch.com
>
> - --------------------------------------------------
> Security Management for the Open Source Enterprise
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFBysj1va6QYTV0EMRAkE+AJwLPG9ch0ZFDuW18aY6yUczIneimQCfSP9B
> IBagYj1HNpEVzIhfjREVeuk=
> =OODh
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list