OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Anybody got a clue
From: Martin Roesch (roeschhiverworld.com)
Date: Sat Mar 04 2000 - 13:06:17 CST

Well, the source port is 1046 and the destination port is 23824.....

     -Marty

Max Vision wrote:
>
> Multicast of some sort. 224.0.0.0 is a reserved address range "MCAST-NET".
> Honestly, I haven't seen a whole lot of ligitimate multicast traffic, so
> I'm not sure what this packet could be.
>
> Could you clarify, are you at the uoregon.edu address? or are these both
> totally foreign networks?
>
> On Sat, 4 Mar 2000, Ralf Hildebrandt wrote:
> > Today the following was logged:
> >
> > [**] Tiny Fragments - Possible Hostile Activity [**]
> > 03/03-13:32:20.028959 128.223.83.24 -> 224.2.163.188
> > UDP TTL:113 TOS:0x0 ID:39530 MF
> > Frag Offset: 0x0 Frag Size: 0x68
> > 04 16 5D 10 01 54 B1 96 80 00 B3 7F 22 C3 8D B9 ..]..T......"...
> > F4 99 E2 89 B2 A4 A6 C1 C1 A9 AA C5 A7 9E A4 A6 ................
> > AA AC AF AC A9 AD AB BA BE A8 AD B0 B8 FE E7 CD ................
> > B8 DB 4A 68 54 68 39 39 39 29 3F 4E 31 31 37 3B ..JhTh999)?N117;
> > 3D 4A D3 4E 46 CD BA B6 CD BA AF AF 5C 39 FE 3B =J.NF.......\9.;
> > 46 5C 3B 4E 68 3F 4A FE 39 2F 2A 20 27 2F 1E 1D F\;Nh?J.9/* '/..
> > 2A 27 1D 1A 1C 1A 19 22 *'....."
> >
> > I got 201 packets of Frag Size: 0x68 and 16672 of Frag Size: 0x30
> >
> > All packets begin with:
> > 04 16 5D 10 01 54 ..]..T
> >
> > Anybody got a clue what that is?
> >
> > --
> > Ralf Hildebrandt <R.Hildebrandttu-bs.de> www.stahl.bau.tu-bs.de/~hildeb
> > The nice thing about Windows is - It does not just crash, it displays
> > a dialog box and lets you press 'OK' first.
> >
> > 

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment