No subject


Thu Nov 23 16:36:19 EST 2017


non-routable ip given by windows to dhcp clients that cant grab a DHCP
address. It is possible for a NIC to have more than on IP, this might be
the case here. From that dump it looks like you have a infected
computer.

Chris

-----Original Message-----
From: jai [mailto:jai.s at ...6716...]=20
Sent: Saturday, January 25, 2003 9:51 AM
To: =C2 snort-users at lists.sourceforge.net; focus-ids at ...35...;
vuln-dev at ...35...; Paul Marcus
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] UDP 1434


Hi,

 Internet traffic of  INDIA's and ASIA's network has been effected
badly.....its amazing....seriously microsoft sucks..  but its fun !! :-)

Well i found something new in this ... i think this worm spoofs IP
address according ....below is the tcpdump output ..out which the host
is ....169.254.198.47. sending repeated packets to different network...
but...169.254.198.47..is not our network....after matching th MAC
address ..it was orginating ...from our IP i.e 202.71.129.197..

tcpdump output :

20:56:28.016820 0:2:b3:2f:a4:95 1:0:5e:2d:b2:12 ip 418:
169.254.198.47.4041
> 224.173.178.1
8.ms-sql-m:  udp 376 [ttl 1]
                         4500 0194 8e94 0000 0111 26d7 a9fe c62f
                         e0ad b212 0fc9 059a 0180 2294 0401 0101
                         0101 0101 0101 0101 0101 0101 0101 0101
                         0101 0101 0101 0101 0101 0101 0101 0101
                         0101 0101 0101 0101 0101 0101 0101 0101
                         0101
20:56:28.016820 0:2:b3:2f:a4:95 1:0:5e:58:ed:71 ip 418:
169.254.198.47.4041
> reserved-mult
icast-range-NOT-delegated.example.com.ms-sql-m:  udp 376 [ttl 1]
                         4500 0194 8e95 0000 0111 e5cb a9fe c62f
                         e658 ed71 0fc9 059a 0180 e189 0401 0101
                         0101 0101 0101 0101 0101 0101 0101 0101
                         0101 0101 0101 0101 0101 0101 0101 0101
                         0101 0101 0101 0101 0101 0101 0101 0101


Router the MAC address ..
  Internet  202.71.129.197        157   0002.b32f.a495  ARPA
FastEthernet6/0

I am running snort ...but it didn't detect....

Rgds
Jai





----- Original Message -----
From: Paul Marcus <paulmarcus at ...468...>
To: jai <jai.s at ...6716...>
Cc: <=C2 snort-users at lists.sourceforge.net>
Sent: Saturday, January 25, 2003 8:20 PM
Subject: Re: [Snort-users] UDP 1434


>
http://forums.military.com/1/OpenTopic?a=3Dtpc&s=3D78919038&f=3D409192893&m=
=3D45
5198
2416
>
> http://slashdot.org/articles/03/01/25/1245206.shtml?tid=3D109
>
>
> On Sat, 2003-01-25 at 06:49, jai wrote:
> > Hi,
> >
> >
> > I am getting very high traffic on UDP 1434 ....
> >
> > wht might be the problem
> >
> > Rgds
> > Jai
>
>
>



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld =3D Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users

------=_NextPart_000_001E_01C2C464.2C361230
Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPazCCAmcw
ggHQoAMCAQICAQQwDQYJKoZIhvcNAQEFBQAwYTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4g
R292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxHDAaBgNVBAMTE0RvRCBDTEFT
UyAzIFJvb3QgQ0EwHhcNMDAwNTE5MTMxMzAwWhcNMjAwNTE0MTMxMzAwWjBhMQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEc
MBoGA1UEAxMTRG9EIENMQVNTIDMgUm9vdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
tTD+ZL7qzG3tgSz3f+kZug5paijhqanLlVgf8eaaaVPgiD+RxVG5Y5eo5iGME142PKhX+vhwLExq
y78wp0wW5DJc+BKwUfgWV40vtE36LqiU6Cph1FcNR85uLC9+mGfMAAirtpYWNcKFkeVboArHZlJi
82F1lReuvCpWKaXgK1MCAwEAAaMvMC0wHQYDVR0OBBYEFGycpfBcj21BjcQXO5BXwg+jzW3+MAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAr3FE+ZcjzGhpjEMHQbqIILMiAEHImKBVHM0/
brGTXK36GJq7HHNv/SRCj4efUc++hp/p14pITwjZaZSsP+YPLZcPKJN2T2Lf/6DNYfimhgwxNCDc
fy+o+zm+le44WQJiwd5sFU/g35275HlzJP1jZJX3SqiZH0hllcd7v3gy53owggQbMIIDhKADAgEC
AgETMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1l
bnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUEtJMRwwGgYDVQQDExNEb0QgQ0xBU1MgMyBSb290
IENBMB4XDTAwMDgxMTE3NDUyOVoXDTA2MDgxMDE3NDUyOVowZDELMAkGA1UEBhMCVVMxGDAWBgNV
BAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxHzAdBgNVBAMT
FkRPRCBDTEFTUyAzIEVNQUlMIENBLTMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO98vchr
6/EuN4Vw2h1ovziIBzOml88LKtiNQxMFN07JV04JFR2kZtuOxlCcvNnL2fXv9lRG4teiwqBldt36
ekVY/1LDkW6xDecvHnS4BuJhQPnmMdnuHF47TwK7O/bxvevAKpKeS1/sw1wuyKJN9Bi7jezH36gY
+CdT9VwfP4QJAgMBAAGjggHeMIIB2jAdBgNVHQ4EFgQU7BNbvCGMZpsKi38HXyWwFPkQ9ZswDgYD
VR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wDAYDVR0kBAUwA4ABADAfBgNVHSMEGDAWgBRs
nKXwXI9tQY3EFzuQV8IPo81t/jAwBgNVHSAEKTAnMAsGCWCGSAFlAgELBTALBglghkgBZQIBCwkw
CwYJYIZIAWUCAQsKMIGDBgNVHRIEfDB6hnhsZGFwOi8vZHMtMy5jM3BraS5jaGFtYi5kaXNhLm1p
bC9jbiUzZERvRCUyMENMQVNTJTIwMyUyMFJvb3QlMjBDQSUyY291JTNkUEtJJTJjb3UlM2REb0Ql
MmNvJTNkVS5TLiUyMEdvdmVybm1lbnQlMmNjJTNkVVMwgbAGA1UdHwSBqDCBpTCBoqCBn6CBnIaB
mWxkYXA6Ly9kcy0zLmMzcGtpLmNoYW1iLmRpc2EubWlsL2NuJTNkRG9EJTIwQ0xBU1MlMjAzJTIw
Um9vdCUyMENBJTJjb3UlM2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUy
Y2MlM2RVUz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTANBgkqhkiG9w0BAQUFAAOB
gQAmpY01OHZr/vRBJsgxGUX7diGsCGrzYM1C0fhrJknH4L7Lm61Nt1bSZ4/obHjlQxBQyDx9ovIS
BAi//TVUd1UKbdqNW7Inso2enmK9beG9eK5M0ZfEdj3S0UxmJAgRXSgVsnE7xzP3uZ1/mJx++gSw
cpd+/NPBVJNjFJPf8RvL4DCCBEcwggOwoAMCAQICAwdvGjANBgkqhkiG9w0BAQUFADBkMQswCQYD
VQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsT
A1BLSTEfMB0GA1UEAxMWRE9EIENMQVNTIDMgRU1BSUwgQ0EtMzAeFw0wMjEwMDIwMDAwMDBaFw0w
NTA5MzAwMDAwMDBaMIGFMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQww
CgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTETMBEGA1UECxMKQ09OVFJBQ1RPUjErMCkGA1UEAxMi
Q09VTlNFTE1BTi5DSFJJU1RPUEhFLkwuMTEwOTE1NjM3NjCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAtpP/jad8XJGIzZuxL31lQ0cuAhh12D+v19ovDcxiuKZ4rIVnGPb4eC8SsPfyEKzZlhCA
8k2al/SxeyJ1O5A7uJ8HfhkVk12yCvU9+j9nNWCmQHUjqVH7+V9pfY6vxC62vFHLyu6XL3085XlB
x9ozyiccYRg7M9EZIvjOC2hjNacCAwEAAaOCAeMwggHfMA4GA1UdDwEB/wQEAwIFIDAnBgNVHREE
IDAegRxjaHJpcy5jb3Vuc2VsbWFuQHVzLmFybXkubWlsMB8GA1UdIwQYMBaAFOwTW7whjGabCot/
B18lsBT5EPWbMB0GA1UdDgQWBBR2cMLNho2smUL86hO/ACjztKTiyDAWBgNVHSAEDzANMAsGCWCG
SAFlAgELCTCBjwYDVR0SBIGHMIGEhoGBbGRhcDovL2VtYWlsLWRzLTMuYzNwa2kuY2hhbWIuZGlz
YS5taWwvY24lM2RET0QlMjBDTEFTUyUyMDMlMjBFTUFJTCUyMENBLTMlMmNvdSUzZFBLSSUyY291
JTNkRG9EJTJjbyUzZFUuUy4lMjBHb3Zlcm5tZW50JTJjYyUzZFVTMIG5BgNVHR8EgbEwga4wgaug
gaiggaWGgaJsZGFwOi8vZW1haWwtZHMtMy5jM3BraS5jaGFtYi5kaXNhLm1pbC9jbiUzZERPRCUy
MENMQVNTJTIwMyUyMEVNQUlMJTIwQ0EtMyUyY291JTNkUEtJJTJjb3UlM2REb0QlMmNvJTNkVS5T
LiUyMEdvdmVybm1lbnQlMmNjJTNkVVM/Y2VydGlmaWNhdGVyZXZvY2F0aW9ubGlzdDtiaW5hcnkw
DQYJKoZIhvcNAQEFBQADgYEAXZe1BSoIELFaExRRcahrDlZ26YiJtdovYk2fElU4fSMzEI2ttHXQ
Sh5s65B4ctVf4Cev9lsMH+QyoqrB/qPzV4gAghQcI/9cx513otm6JSq2ZudsYDBN1g3OqxVMxru3
YNy3BcEoVL99UqWmB+fhhd4hN1DqOKCtkXXR/IRM9FgwggSSMIID+6ADAgECAgMHbxgwDQYJKoZI
hvcNAQEFBQAwZDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE
CxMDRG9EMQwwCgYDVQQLEwNQS0kxHzAdBgNVBAMTFkRPRCBDTEFTUyAzIEVNQUlMIENBLTMwHhcN
MDIxMDAyMDAwMDAwWhcNMDUwOTMwMDAwMDAwWjCBhTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Uu
Uy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxEzARBgNVBAsTCkNPTlRS
QUNUT1IxKzApBgNVBAMTIkNPVU5TRUxNQU4uQ0hSSVNUT1BIRS5MLjExMDkxNTYzNzYwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBANbKD3KAnLCfqBoclCIqM1jq18t3o1umVq5VfQLmjfC747xC
5qyd6gDZL2AwAHS3O9YeQFQ+5Xwl2swi62BA6spa6DIG28r2F295PFga+bUB6DTid40diYJo9Fuj
mOGOy9Qt4dCjzejxyknIB2JLPBT2M2SXt4kR1YvLQANXDa3NAgMBAAGjggIuMIICKjAOBgNVHQ8B
Af8EBAMCBsAwHwYDVR0jBBgwFoAU7BNbvCGMZpsKi38HXyWwFPkQ9ZswHQYDVR0OBBYEFMOax9hE
kojd1u65JJ6eTR3iQVmmMBYGA1UdIAQPMA0wCwYJYIZIAWUCAQsJMIGPBgNVHRIEgYcwgYSGgYFs
ZGFwOi8vZW1haWwtZHMtMy5jM3BraS5jaGFtYi5kaXNhLm1pbC9jbiUzZERPRCUyMENMQVNTJTIw
MyUyMEVNQUlMJTIwQ0EtMyUyY291JTNkUEtJJTJjb3UlM2REb0QlMmNvJTNkVS5TLiUyMEdvdmVy
bm1lbnQlMmNjJTNkVVMwgbkGA1UdHwSBsTCBrjCBq6CBqKCBpYaBomxkYXA6Ly9lbWFpbC1kcy0z
LmMzcGtpLmNoYW1iLmRpc2EubWlsL2NuJTNkRE9EJTIwQ0xBU1MlMjAzJTIwRU1BSUwlMjBDQS0z
JTJjb3UlM2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RVUz9j
ZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2JpbmFyeTApBgNVHSUEIjAgBgorBgEEAYI3FAICBggr
BgEFBQcDBAYIKwYBBQUHAwIwRwYDVR0RBEAwPoEcY2hyaXMuY291bnNlbG1hbkB1cy5hcm15Lm1p
bKAeBgorBgEEAYI3FAIDoBAMDjExMDkxNTYzNzZAbWlsMA0GCSqGSIb3DQEBBQUAA4GBAIYDuqaM
JwTtSfmZQaKIkVM70K4Qe0apdDttRhEUmOc2n9amNPpor/6TCAz7rjfrIir1FXz/3WxPdfmaTC8F
P+mYOonITuVo+H7YAwuxwcdr6Gk9hWMdiArdyt4/jWQizlvvqcrycXm2SeqrkIp4Qq6aZYk58e3K
rUG0syGYJiKwMYICtzCCArMCAQEwazBkMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zl
cm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEfMB0GA1UEAxMWRE9EIENMQVNTIDMg
RU1BSUwgQ0EtMwIDB28YMAkGBSsOAwIaBQCgggGiMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTAzMDEyNTE3MjMyM1owIwYJKoZIhvcNAQkEMRYEFFUa7u6wMw5KF9j3
TmHdnEvy53dKMEkGCSqGSIb3DQEJDzE8MDowCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcG
BSsOAwIHMAcGBSsOAwIaMAoGCCqGSIb3DQIFMHoGCSsGAQQBgjcQBDFtMGswZDELMAkGA1UEBhMC
VVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kx
HzAdBgNVBAMTFkRPRCBDTEFTUyAzIEVNQUlMIENBLTMCAwdvGjB8BgsqhkiG9w0BCRACCzFtoGsw
ZDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMQww
CgYDVQQLEwNQS0kxHzAdBgNVBAMTFkRPRCBDTEFTUyAzIEVNQUlMIENBLTMCAwdvGjANBgkqhkiG
9w0BAQEFAASBgCZaBJdjaLVX4cW3iBzzhxQzp99d/feTnAdhp6vuWKfYpQFGHTHUqsud+2n+WwnJ
0+2fjHqRqYXaH21/uq/vwtHOlfbcrf7Ku0uyu2OGvwpJHUcfbB8z47PlLJW1Nz3sXuiXJBJQTEai
4gxX0KMPyK/f6NXgeV9XvJGSdAarZZbKAAAAAAAA

------=_NextPart_000_001E_01C2C464.2C361230--





More information about the Snort-users mailing list