[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] Detecting bad UDP Header in packet
From: rl vaughn <rl_vaughn () baylor ! edu>
Date: 2017-08-16 22:33:35
Message-ID: 315eea0b-2b61-134f-ef13-e23545046450 () baylor ! edu
[Download RAW message or body]
On 8/15/17 10:34 AM, BILL LARIVIERE wrote:
> All,
> We have had some unique packets find their way to our network. The IP header looks \
> to be intact and was routed normally. While looking at the packets in tcpdump and \
> wireshark, an anomaly was detected. It appears that at IP offset 9, the protocol \
> is identified as UDP (offset9=0x11). And when you look at IP offset 20 (UDP header \
> offset 0) you see 0x2e. This of course should be part of the source UDP port, not \
> a period. When I look at the pcap in Wireshark, there is not a "UDP Datagram" that \
> starts at IP offset 20, rather "Data" starts there. I believe this to be caused by \
> an invalid port number in the "UDP Datagram" portion of the IP Header. When I run \
> tcpdump on the pcap file with ip[9]=0x11 and ip[20]=0x2e the packets in questions \
> are identified. My question for the group is with snort/suricata. I have attempted \
> to run snort with the snort rule alert ip ... content:"|2e|"; depth:4; offset:0.... \
> With no success. My understanding of offset is it uses the payload as the \
> reference point to start inspection. With that in mind, the payload to me would be \
> "Data" portion of the IP packet. This offset did not fire an alert. I have played \
> with all kinds of offset and depth settings searching for the portion of the packet \
> where the period has been used for the port. To no avail. What am I missing?
> Pcap file attached with 2 packets that I am wanting to alert on.
>
> Thanks,
>
>
> Bill LaRiviere GCIA
>
>
I have no idea if this helps but 212.72.175.170 is running active
directory on the standard port 389. The presence of UDP suggests the
packets are LDAP (CLDAP) query (AD Ping) responses.
Of course, you already knew this and there are no matching packets
matching 205.255.102.139:?->212.92.175.170:389
So, this is reflection?
Given:
https://isc.sans.edu/forums/diary/Akamai+reports+UDP+DDOS+Using+CLDAP+reaching+24Gbps/22300
I would look for suricata/snort rules for that attack.
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic