OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Anybody got a clue
From: Max Vision (visionwhitehats.com)
Date: Sat Mar 04 2000 - 09:34:26 CST

Multicast of some sort. 224.0.0.0 is a reserved address range "MCAST-NET".
Honestly, I haven't seen a whole lot of ligitimate multicast traffic, so
I'm not sure what this packet could be.

Could you clarify, are you at the uoregon.edu address? or are these both
totally foreign networks?

On Sat, 4 Mar 2000, Ralf Hildebrandt wrote:
> Today the following was logged:
>
> [**] Tiny Fragments - Possible Hostile Activity [**]
> 03/03-13:32:20.028959 128.223.83.24 -> 224.2.163.188
> UDP TTL:113 TOS:0x0 ID:39530 MF
> Frag Offset: 0x0 Frag Size: 0x68
> 04 16 5D 10 01 54 B1 96 80 00 B3 7F 22 C3 8D B9 ..]..T......"...
> F4 99 E2 89 B2 A4 A6 C1 C1 A9 AA C5 A7 9E A4 A6 ................
> AA AC AF AC A9 AD AB BA BE A8 AD B0 B8 FE E7 CD ................
> B8 DB 4A 68 54 68 39 39 39 29 3F 4E 31 31 37 3B ..JhTh999)?N117;
> 3D 4A D3 4E 46 CD BA B6 CD BA AF AF 5C 39 FE 3B =J.NF.......\9.;
> 46 5C 3B 4E 68 3F 4A FE 39 2F 2A 20 27 2F 1E 1D F\;Nh?J.9/* '/..
> 2A 27 1D 1A 1C 1A 19 22 *'....."
>
> I got 201 packets of Frag Size: 0x68 and 16672 of Frag Size: 0x30
>
> All packets begin with:
> 04 16 5D 10 01 54 ..]..T
>
> Anybody got a clue what that is?
>
> --
> Ralf Hildebrandt <R.Hildebrandttu-bs.de> www.stahl.bau.tu-bs.de/~hildeb
> The nice thing about Windows is - It does not just crash, it displays
> a dialog box and lets you press 'OK' first.
>
>