[Intrusions] LOGS:GIAC GCIA Version 3.5 Pratical Detect Dante Winslow

List Account list.account at cerdant.com
Wed Dec 1 19:09:51 GMT 2004


First off, let me start by saying that I've read all of the posts that made
it to the mailing list, but there appears to be some off list discussion I
missed out on. However, there is a paragraph that I must respond to as I
have some pertinent info that may be of use.

You said
"Incidents of this type traffic pattern (255.255.255.255:31337 ->
x.x.x.x:515) were seen as early as the year 2000/2001. Sonic Wall was
started in 1991.
Mr. Stingley supports the possibility that an IPS device could have caused
this traffic and I agree. However for my analysis methodology I am
acknowledging that the IPS device for SONIC Wall was not released until
approximately May 2004 and SONIC Wall has yet to confirm this activity. I'm
not saying that is not plausible for Sonic Wall devices to produce this type
of traffic. I'm just not under the assumption that everyone that picked up
or that has seen this traffic on his or her network has a Sonic Wall device
in place and that if a device sent a reset why would an ACK also be
associated with that traffic. But that is what these forums are for,
discussions. 

Upon some further investigation I discovered that, in addition to the 'cko'
data in the packet each packet also had some other data string output in
common. That data string is 7a 69 02 03 00 00 00 00 00 00 00 00 050 14 this
translates out to the word ZIP. It could be possible that this traffic is
trying to communicate, access, or distribute. cko.zip or zip.cko. "

The cko data in the reset packet sent by the 255.255.255.255:31337 host is
reset data sent by a Sonicwall device in response to a certain event. From
my observations of Sonicwalls, the ACK bit is set along with the RST bit,
with a RST cause. I won't go into detail for risk of being wrong, so here is
the link to the doc that explains the RST codes from sonicwall:
http://www.sonicwall.com/services/pdfs/technotes/SonicOS_TCP_RST.pdf
I might be able to clarify some of what they are talking about, so just ask.


HTH,
Nathan

_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org http://www.dshield.org/mailman/listinfo/intrusions




More information about the Intrusions mailing list