<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <title></title>
</head>
<body>
Greetings Snorters,<br>
<br>
Has anyone seen a ACID packet log that looks like this? It looks to me like
someone has crafted a TCP packet in the payload of an ICMP packet. Is this
an attack against the destination address of the TCP packet?<br>
<br>
<table border="1">
  <tbody>
    <tr>
      <td class="metatitle" width="50" align="center" rowspan="3">Meta  
            </td>
      <td>                   
      <table border="1" cellpadding="4">
                     <tbody>
          <tr>
            <td class="plfieldhdr">ID #</td>
                         <td class="plfieldhdr">Time</td>
                         <td class="plfieldhdr">Triggered Signature</td>
          </tr>
                     <tr>
            <td class="plfield">2 - 796508</td>
                         <td class="plfield">2002-09-25 22:37:48</td>
                         <td class="plfield"><font size="-1">[<a
 href="http://www.snort.org/snort-db/sid.html?sid=523"
 target="_ACID_ALERT_DESC">snort</a>]</font> BAD TRAFFIC ip reserved bit
set</td>
          </tr>
                         
        </tbody>
      </table>
               </td>
            </tr>
  <tr>
              <td>                 
      <table border="1" cellpadding="4">
                   <tbody>
          <tr>
            <td class="metatitle" align="center" rowspan="2">Sensor</td>
                        <td class="plfieldhdr">name</td>
                        <td class="plfieldhdr">interface</td>
                        <td class="plfieldhdr">filter</td>
                   </tr>
                   <tr>
            <td class="plfield">130.113.0.0</td>
                       <td class="plfield">hme0</td>
                       <td class="plfield"> <i>none</i> </td>
                   </tr>
                  
        </tbody>
      </table>
                </td>
    </tr>
 <tr>
            <td>              
      <table border="1" cellpadding="4">
                <tbody>
          <tr>
            <td class="metatitle" align="center" rowspan="1">Alert<br>
Group</td>
        <td>  <i>none</i> </td>
          </tr>
      
        </tbody>
      </table>
   </td>
    </tr>
         
  </tbody>
</table>
        
<table border="1">
           <tbody>
    <tr>
      <td class="iptitle" width="50" rowspan="3" align="center">IP      </td>
      <td>         
      <table border="1" cellpadding="2">
            <tbody>
          <tr>
            <td class="plfieldhdr">source addr</td>
                         <td class="plfieldhdr">  dest addr  </td>
                         <td class="plfieldhdr">Ver</td>
                         <td class="plfieldhdr">Hdr Len</td>
                         <td class="plfieldhdr">TOS</td>
                         <td class="plfieldhdr">length</td>
                         <td class="plfieldhdr">ID</td>
                         <td class="plfieldhdr">flags</td>
                         <td class="plfieldhdr">offset</td>
                         <td class="plfieldhdr">TTL</td>
                         <td class="plfieldhdr">chksum</td>
          </tr>
             <tr>
            <td class="plfield">                        <a
 href="http://wardroom.cis.mcmaster.ca/acid/acid_stat_ipaddr.php?ip=210.134.0.129&netmask=32">210.134.X.Y</a></td>
                 <td class="plfield">                          <a
 href="http://wardroom.cis.mcmaster.ca/acid/acid_stat_ipaddr.php?ip=130.113.172.93&netmask=32">130.113.xx.yy</a></td>
                 <td class="plfield">4</td>
                 <td class="plfield">5</td>
                 <td class="plfield">0</td>
                 <td class="plfield">56</td>
                 <td class="plfield">63653</td>
                 <td class="plfield">0</td>
                 <td class="plfield">0</td>
                 <td class="plfield">46</td>
                 <td class="plfield">4681</td>
          </tr>
         
        </tbody>
      </table>
  </td>
    </tr>
    <tr>
               <td>                 
      <table border="1" cellpadding="4">
                   <tbody>
          <tr>
            <td class="iptitle" align="center" rowspan="2">FQDN</td>
                        <td class="plfieldhdr">Source Name</td>
                        <td class="plfieldhdr">Dest. Name</td>
                   </tr>
                   <tr>
            <td class="plfield"> <i>Unable to resolve address</i> </td>
                       <td class="plfield">****.Physics.McMaster.CA</td>
                   </tr>
                  
        </tbody>
      </table>
                  </td>
    </tr>
  <tr>
      <td>         
      <table border="1" cellpadding="4">
           <tbody>
          <tr>
            <td class="iptitle" align="center" rowspan="1">Options</td>
             <td>     <i>none </i></td>
          </tr>
         
        </tbody>
      </table>
      </td>
    </tr>
  </tbody>
</table>
            
<table border="1">
               <tbody>
    <tr>
      <td class="layer4title" width="50" rowspan="2" align="center">ICMP
     </td>
      <td>         
      <table border="1" cellpadding="2">
            <tbody>
          <tr>
            <td class="plfieldhdr">type</td>
                            <td class="plfieldhdr">code</td>
                            <td class="plfieldhdr">checksum</td>
                            <td class="plfieldhdr">id</td>
                            <td class="plfieldhdr">seq #</td>
          </tr>
            <tr>
            <td class="plfield">(3) Destination Unreachable</td>
                <td class="plfield">(1) Host Unreachable</td>
                <td class="plfield">31622</td>
                <td class="plfield"><br>
            </td>
                <td class="plfield"><br>
            </td>
          </tr>
         
        </tbody>
      </table>
      </td>
    </tr>
  </tbody>
</table>
                     
<table border="1">
  <tbody>
    <tr>
      <td class="payloadtitle" width="50" rowspan="2" align="center">Payload
      </td>
      <td> 
      <pre> length = 32

000 : 00 00 00 00 45 00 00 3C 32 7E 40 00 2B 06 1B E7   ....E..<<a class="moz-txt-link-abbreviated" href="mailto:2~@.+">2~@.+</a>...
010 : 82 71 AC 5D D2 86 00 02 86 95 01 BB C7 6B 31 BC   .q.].........k1.
      </pre>
 
      <table border="1">
        <tbody>
          <tr>
            <td class="plfieldhdr">Protocol</td>
            <td class="plfieldhdr">Org.Source<br>
IP</td>
            <td class="plfieldhdr">Org.Source<br>
Name</td>
            <td class="plfieldhdr">Org.Source<br>
Port</td>
            <td class="plfieldhdr">Org.Destination<br>
IP</td>
            <td class="plfieldhdr">Org.Destination<br>
Name</td>
            <td class="plfieldhdr">Org.Destination<br>
Port</td>
          </tr>
          <tr>
            <td class="plfield">TCP</td>
            <td class="plfield"><a
 href="http://wardroom.cis.mcmaster.ca/acid/acid_stat_ipaddr.php?ip=130.113.172.93&netmask=32"
 target="_PL_SIP">130.113.xx.yy</a></td>
            <td class="plfield">****.Physics.McMaster.CA</td>
            <td class="plfield">34453</td>
            <td class="plfield"><a
 href="http://wardroom.cis.mcmaster.ca/acid/acid_stat_ipaddr.php?ip=210.134.0.2&netmask=32"
 target="_PL_DIP">210.134.X.Y1</a></td>
            <td class="plfield"> <i>Unable to resolve address</i> </td>
            <td class="plfield">443</td>
          </tr>
        </tbody>
      </table>
      </td>
    </tr>
  </tbody>
</table>
<br>
<pre class="moz-signature" cols="$mailwrapcol">-- 
   __     _             _            Network Analyst
  /  )   //            ' )   /       Computing & Information Services
 /    __|/  o ____      / / / . .    McMaster University
(__/ (_) \_<_/ / <_    (_(_/ (_/_    (905)525-9140 ext 24050
                                     <a class="moz-txt-link-freetext" href="http://netman.McMaster.CA">http://netman.McMaster.CA</a>
Only get into a life boat if you have to step UP to get into it.
</pre>
</body>
</html>