OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mark Mason (mark.masongrandecom.com)
Date: Wed Feb 27 2002 - 15:29:07 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Thanks, that helps. I probably should have also included the fact that my
    network is comprised of WANs and VLANS. My central router that most traffic
    has to go through is set up to drop packets from the 127.0.0.0 network.
    "access-list 101 deny ip 127.0.0.0 0.255.255.255 any"
    Most traffic on my network has to go through the router, unless it is on the
    same VLAN as the router, but the only thing on that VLAN is network
    equipment. So while it does appear to be generated internally, I am confused
    as to how it even got to my firewall (where snort is looking at).

    -----Original Message-----
    From: Scott Taylor [mailto:scotttsoccer.com]
    Sent: Tuesday, February 26, 2002 6:28 PM
    To: Mark Mason
    Subject: Re: [Snort-users] Interesting traffic...

    with the TcpLen: 40 (which is the packet length)
    and the mss set which adds 4bytes to the packet
    your minimum packet length should be 44. So it
    looks like it isn't a valid packet. It's crafted
    or custom. Also and two nop's in the tcp header
    would lead me to believe it's comming from a
    2000 host? I'm just learning this stuff so don't
    take it as gospel. You should find out where
    that's comming from. What's weird is the 1 nop
    in the ip options portion......

    Hopefully someone here will have a better light
    to shine on this one.

    Cheers,
    Scott

    [**] [1:528:2] BAD TRAFFIC loopback traffic [**]
    [Classification: Potentially Bad Traffic]
    [Priority: 2]
    02/26-11:25:30.667238 127.0.0.1:15158 ->
    xxx.xxx.xxx.xxx:6473
    TCP TTL:63 TOS:0x0 ID:9155 IpLen:28 DgmLen:68 DF
    IP Options (2) => LSRR NOP
    ******S* Seq: 0x1BE3F7DA  Ack: 0x0  Win:
    0xFFFF  TcpLen: 40
    TCP Options (6) => MSS: 16344 NOP WS: 1 NOP NOP
    TS: 281854 0

    [**] [1:528:2] BAD TRAFFIC loopback traffic [**]
    [Classification: Potentially Bad Traffic]
    [Priority: 2]
    02/26-11:25:33.657238 127.0.0.1:15158 ->
    xxx.xxx.xxx.xxx:6473
    TCP TTL:63 TOS:0x0 ID:9156 IpLen:28 DgmLen:68 DF
    IP Options (2) => LSRR NOP
    ******S* Seq: 0x1BE3F7DA  Ack: 0x0  Win:
    0xFFFF  TcpLen: 40
    TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP
    TS: 282154 0

    [**] [1:528:2] BAD TRAFFIC loopback traffic [**]
    [Classification: Potentially Bad Traffic]
    [Priority: 2]
    02/26-11:25:36.657238 127.0.0.1:15158 ->
    xxx.xxx.xxx.xxx:6473
    TCP TTL:63 TOS:0x0 ID:9157 IpLen:28 DgmLen:68 DF
    IP Options (2) => LSRR NOP
    ******S* Seq: 0x1BE3F7DA  Ack: 0x0  Win:
    0xFFFF  TcpLen: 40
    TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP
    TS: 282454 0

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or
    unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snor
    t-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?
    list=snort-users

    ---- End Original Message ----

    THERE IS ONLY ONE...
    SOCCER.COM, The Center of the Soccer Universe
    http://www.soccer.com

    • application/ms-tnef attachment: stored

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users