No subject


Thu Nov 23 16:36:19 EST 2017


> Generally speaking, you're not supposed to send application data in the
> SYN packet (it's bad form to send application layer data before the
> connection is even established), that's what this alert is firing on. 
> It's probably just a bad stack implementation.
> 
>      -Marty
> 
> Matt Kettler wrote:
> > 
> > Well, the port 29291 is just a random local port.. This is a syn packet
> > remember, so the service being used is on destination end, and is port 53
> > (dns).
> > 
> > so, 207.46.106.84 has decided that 172.40.20.235 might be a dns server, and
> > has attempted to connect to it via TCP (it is unusual, but legal for a DNS
> > server to be contacted via tcp instead of UDP).
> > 
> > I've seen some similar traffic myself from a pair of DNS servers directed
> > at the local DNS server here.. the TCP syn packets contain several bytes of
> > data which are all 00's. It is strange (AFAIK it is not legal to send data
> > with a syn packet.. you haven't negotiated a connection yet), but it
> > appears to be an artifact of a buggy tcp/ip implementation.. Or who knows,
> > it may be an artifact of some obscure, buggy worm  or scanning tool that
> > looks at DNS servers and uses raw sockets instead of the local TCP/IP
> > stack. Even if it is from some obscure hacking tool, the syn packets
> > themselves appear harmless.
> > 
> > At 07:39 AM 1/14/2002 +0100, you wrote:
> > >Hi!
> > >
> > >I get a lot of
> > >
> > >01/14-02:24:17.089098  [**] [1:526:3] BAD TRAFFIC data in TCP SYN packet
> > >[**] [Classification: Misc activity] [Priority: 3] {TCP} 207.46.106.84:29291
> > >-> 172.40.20.235:53
> > >
> > >172.40.20.235 is my DNS server, but why would clients put data in the syn
> > >packets? According to RIPE, the source address is "ALLOCATED UNSPECIFIED",
> > >so I can't find out who's doing this. It comes from a limited number of
> > >addresses, they all seem to be 207.xx.xxx.xxx.
> > 

-- 
Laurie




More information about the Snort-users mailing list