[Snort-users] snort_decoder: Short UDP packet, length field > payload length

Bamm Visscher bamm.visscher at ...11827...
Tue Sep 12 17:58:41 EDT 2006


Yep, the name says it all:
71.5.87.148.in-addr.arpa        name = tele-csvpn-gw-3-r.oracle.com.

It's a Cisco VPN gateway at Oracle. Do you (or your customer) have a
customer/partner that would be vpning back to Oracle?

Bammkkkk


On 9/12/06, Bamm Visscher <bamm.visscher at ...11827...> wrote:
> If I had to guess, I'd say you have a mangled IPSEC via UDP packet
> (normally associated w/port 4500).  It'd be better if you had the
> actual packet (and any others belonging to the session) captured.
>
> Bammkkkk
>
>
> On 9/12/06, Eric Hines <eric.hines at ...8860...> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Has anyone seen this type of traffic before? Its a UDP Header Length >
> > Payload Length alert but whats odd is the UDP Length is being reported
> > as 4500 bytes! But the packet is actually quite small and you see its
> > not a fragment. The Source and Destination ports concern me along with
> > who owns that IP address. Is this possibly related to Oracle in any way?
> > Has anyone who runs Oracle seen this packet before? The IP owner
> > information is below as well.
> >
> > IP Header HEX removed for privacy.
> >
> > - ------------- packet --------------
> >
> > APPLIED WATCH EVENT INFORMATION:
> > Alert ID: 6388082
> > Priority: 3
> > Timestamp: Tue Sep 12 10:22:46 CDT 2006
> > Signature ID : 97
> > Message: snort_decoder: Short UDP packet, length field > payload length
> >
> > IP HEADER INFORMATION:
> > Ver: 4
> > Length: 108
> > Flags: 0
> > Checksum: 25081
> > Hlen: 5
> > ID: 1
> > TTL: 128
> > Source IP: XXX.XXX.XXX.XXX
> > TOS: 0
> > Offset: 0
> > Proto: 17
> > Dest IP: 148.87.5.71
> >
> > UDP PROTOCOL INFORMATION:
> > Source Port: 37892
> > Destination Port: 0
> > Length: 4500
> > Checksum: 4500
> >
> > PAYLOAD INFORMATION:
> > 9404 0000 1194 1194 0054 0000 250f d5a6         .G.........T..%...
> > 0000 0001 ee99 1554 273f 6db9 d50e 330c 8ae3    .......T'?m...3...
> > e1e8 7a9c 1720 53cc 692a dcf1 c68e e3cd 231b    ..z.. S.i*......#.
> > 8699 782c 82b6 6573 ea9a ef43 2e19 9d62 5a14    ..x,..es...C...bZ.
> > 6478 e43e 25b2 480e 1d4e e9c0 5787 ee1e fbfd    dx.>%.H..N..W.....
> >
> >
> > 148.87.5.71 is owned by Oracle it seems:
> > - -----------------------
> > OrgName:    Oracle Datenbanksysteme GmbH
> > OrgID:      ODG-3
> > Address:    500 Oracle Pkwy
> > City:       Redwood Shores
> > StateProv:  CA
> > PostalCode: 94065
> > Country:    US
> >
> > NetRange:   148.87.0.0 - 148.87.255.255
> > CIDR:       148.87.0.0/16
> > NetName:    ORACLE-AT
> > NetHandle:  NET-148-87-0-0-1
> > Parent:     NET-148-0-0-0-0
> > NetType:    Direct Assignment
> > NameServer: NS1.ORACLE.COM
> > NameServer: NS4.ORACLE.COM
> > Comment:
> > RegDate:    1991-04-11
> > Updated:    2002-04-15
> >
> > RTechHandle: JKD7-ARIN
> > RTechName:   Doyle, John K.
> > RTechPhone:  +1-650-506-2380
> > RTechEmail:  john.doyle at ...13925...
> >
> > - --
> >
> > Best Regards,
> >
> > Eric S. Hines, GCIA, CISSP
> > CEO, President, Chairman
> > Applied Watch Technologies, LLC
> >
> >
> > - --------------------------------------------------
> >
> > Eric S. Hines, GCIA, CISSP
> > CEO, President, Chairman
> > Applied Watch Technologies, LLC
> >
> > - --------------------------------------------------
> >
> > Email:   eric.hines at ...8860...
> > Address: 1095 Pingree Road
> >          Suite 221
> >          Crystal Lake, IL
> >          60014
> > Tel:     (877) 262-7593 ext:327
> > Local:   (847) 854-5831
> > Fax:     (847) 854-5106
> > Web:     http://www.appliedwatch.com
> >
> > - --------------------------------------------------
> > Security Management for the Open Source Enterprise
> >
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.4 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQFFBysj1va6QYTV0EMRAkE+AJwLPG9ch0ZFDuW18aY6yUczIneimQCfSP9B
> > IBagYj1HNpEVzIhfjREVeuk=
> > =OODh
> > -----END PGP SIGNATURE-----
> >
> >
> > -------------------------------------------------------------------------
> > Using Tomcat but need to do more? Need to support web services, security?
> > Get stuff done quickly with pre-integrated technology to make your job easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
>
>
> --
> sguil - The Analyst Console for NSM
> http://sguil.sf.net
>


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list