[Snort-users] snort_decoder: Short UDP packet, length field > payload length

Bamm Visscher bamm.visscher at ...11827...
Tue Sep 12 18:14:01 EDT 2006


Just to clarify how I came up with this.

UDP PROTOCOL INFORMATION:
 Source Port: 37892
 Destination Port: 0
 Length: 4500
 Checksum: 4500

That's the key. In a UDP header the first two bytes are the src port,
second two bytes is the dst port and finally 2 bytes for the msg
length (and an optional checksum). The dst port is "0", that means
something is probably mangled. Both the length and checksum are 4500.
The length is odd and the checksum just can't be right. I assume the
dst port is actually 4500 and something got mangled. The hostname of
tele-csvpn-gw-3-r.oracle.com. supports the conclusion that this is/was
a IPSEC packet. The real question is if was mangled on the wire, by
snort, or during the processing of the unified output.

Ah, life as a packet monkey never gets old... ;)

Bammkkkk


On 9/12/06, Bamm Visscher <bamm.visscher at ...11827...> wrote:
> If I had to guess, I'd say you have a mangled IPSEC via UDP packet
> (normally associated w/port 4500).  It'd be better if you had the
> actual packet (and any others belonging to the session) captured.
>
> Bammkkkk
>
>
> On 9/12/06, Eric Hines <eric.hines at ...8860...> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Has anyone seen this type of traffic before? Its a UDP Header Length >
> > Payload Length alert but whats odd is the UDP Length is being reported
> > as 4500 bytes! But the packet is actually quite small and you see its
> > not a fragment. The Source and Destination ports concern me along with
> > who owns that IP address. Is this possibly related to Oracle in any way?
> > Has anyone who runs Oracle seen this packet before? The IP owner
> > information is below as well.
> >
> > IP Header HEX removed for privacy.
> >
> > - ------------- packet --------------
> >
> > APPLIED WATCH EVENT INFORMATION:
> > Alert ID: 6388082
> > Priority: 3
> > Timestamp: Tue Sep 12 10:22:46 CDT 2006
> > Signature ID : 97
> > Message: snort_decoder: Short UDP packet, length field > payload length
> >
> > IP HEADER INFORMATION:
> > Ver: 4
> > Length: 108
> > Flags: 0
> > Checksum: 25081
> > Hlen: 5
> > ID: 1
> > TTL: 128
> > Source IP: XXX.XXX.XXX.XXX
> > TOS: 0
> > Offset: 0
> > Proto: 17
> > Dest IP: 148.87.5.71
> >
> > UDP PROTOCOL INFORMATION:
> > Source Port: 37892
> > Destination Port: 0
> > Length: 4500
> > Checksum: 4500
> >
> > PAYLOAD INFORMATION:
> > 9404 0000 1194 1194 0054 0000 250f d5a6         .G.........T..%...
> > 0000 0001 ee99 1554 273f 6db9 d50e 330c 8ae3    .......T'?m...3...
> > e1e8 7a9c 1720 53cc 692a dcf1 c68e e3cd 231b    ..z.. S.i*......#.
> > 8699 782c 82b6 6573 ea9a ef43 2e19 9d62 5a14    ..x,..es...C...bZ.
> > 6478 e43e 25b2 480e 1d4e e9c0 5787 ee1e fbfd    dx.>%.H..N..W.....
> >
> >
> > 148.87.5.71 is owned by Oracle it seems:
> > - -----------------------
> > OrgName:    Oracle Datenbanksysteme GmbH
> > OrgID:      ODG-3
> > Address:    500 Oracle Pkwy
> > City:       Redwood Shores
> > StateProv:  CA
> > PostalCode: 94065
> > Country:    US
> >
> > NetRange:   148.87.0.0 - 148.87.255.255
> > CIDR:       148.87.0.0/16
> > NetName:    ORACLE-AT
> > NetHandle:  NET-148-87-0-0-1
> > Parent:     NET-148-0-0-0-0
> > NetType:    Direct Assignment
> > NameServer: NS1.ORACLE.COM
> > NameServer: NS4.ORACLE.COM
> > Comment:
> > RegDate:    1991-04-11
> > Updated:    2002-04-15
> >
> > RTechHandle: JKD7-ARIN
> > RTechName:   Doyle, John K.
> > RTechPhone:  +1-650-506-2380
> > RTechEmail:  john.doyle at ...13925...
> >
> > - --
> >
> > Best Regards,
> >
> > Eric S. Hines, GCIA, CISSP
> > CEO, President, Chairman
> > Applied Watch Technologies, LLC
> >
> >
> > - --------------------------------------------------
> >
> > Eric S. Hines, GCIA, CISSP
> > CEO, President, Chairman
> > Applied Watch Technologies, LLC
> >
> > - --------------------------------------------------
> >
> > Email:   eric.hines at ...8860...
> > Address: 1095 Pingree Road
> >          Suite 221
> >          Crystal Lake, IL
> >          60014
> > Tel:     (877) 262-7593 ext:327
> > Local:   (847) 854-5831
> > Fax:     (847) 854-5106
> > Web:     http://www.appliedwatch.com
> >
> > - --------------------------------------------------
> > Security Management for the Open Source Enterprise
> >
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.4 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQFFBysj1va6QYTV0EMRAkE+AJwLPG9ch0ZFDuW18aY6yUczIneimQCfSP9B
> > IBagYj1HNpEVzIhfjREVeuk=
> > =OODh
> > -----END PGP SIGNATURE-----
> >
> >
> > -------------------------------------------------------------------------
> > Using Tomcat but need to do more? Need to support web services, security?
> > Get stuff done quickly with pre-integrated technology to make your job easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
>
>
> --
> sguil - The Analyst Console for NSM
> http://sguil.sf.net
>


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list