OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Leonardo Rodrigues (coelhopersogo.com.br)
Date: Thu Nov 01 2001 - 07:56:32 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

        Hello Guys,

        I know this isnt exactly a snort related question. Altough, as I'm
    sure there are a lot of persons that are involved with
    network/traffic/software stuff, I think somebody can help me here ....

        I got with snort a very strange traffic flowing from one of my NT
    servers apparently for a LOT of internet broadcast addresses. They are
    being correctly NOT forwarded by my firewall ( linux+ipchains ). But, I
    dont have any idea of WHAT can be generating this strange traffic. Its
    being originated on 1029/udp port, and snort log shows:

    [**] Strange Traffic [**]
    11/01-10:26:39.935238 192.6.1.190:1029 -> 200.246.167.255:41508
    UDP TTL:128 TOS:0x0 ID:49620 IpLen:20 DgmLen:216
    Len: 196
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 4E 54 53 41 47 41 00 00 DC 01 00 00 ....NTSAGA......
    70 FF 97 01 76 CB F1 77 01 00 1F 00 00 00 00 00 p...v..w........
    00 9C FD 7F 00 00 00 00 A0 CC F1 77 D8 00 00 00 ...........w....
    00 00 00 00 32 30 37 30 34 37 34 00 00 00 04 00 ....2070474.....
    00 00 04 00 00 00 13 00 30 E6 36 3A 00 00 13 00 ........0.6:....
    30 89 39 3A 0C 00 00 00 11 10 00 00 0.9:........

        NTSAGA is my NT Netbios name. Looking on ports database, I couldnt
    find any entry for 1029/UDP.

        Do you have any idea of what can be generating this traffic ??

        Sincerily,
        Leonardo Rodrigues
        Persocom Network

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users