[Intrusions] Interesting attempts (I hope)
rbeken at scitechsystems.net
rbeken at scitechsystems.net
Tue May 31 18:49:06 GMT 2005
It would be really good to get some raw packets. I'd be interested in
finding out how long the fragments are, payload, what offset etc. Also
did this occur for a long period of time, or in bursts of a few seconds
every hour?
I saw something similar hitting my perimeter a while back (repeated
patterned traffic looking alot like this) that appeared to be coming from
a reputable source. I chalked it up to a load balancer, but I'm not
completely sure that's what it was.
Are there documented, traffic signatures generated from network load
balancers from the various vendors out there? It would be nice to rule
that out from the get go.
Haven't finished analysis yet but I'm seeing a repeated attempt to
compromise a DNS/SMPT server (192.168.99.10). Not sure what the
attempt is. Any suggestions? May 30 18:05:05 192.168.1.4 pix01:
device_id=pix01 [Root]system-critical-00440: Fragmented traffic! From
142.46.146.6:53 to 192.168.99.10 :61113, proto UDP (zone Untrust, int
ethernet1). Occurred 1 times. (2005-05-30 18:05:05) May 30 18:05:05
192.168.1.4 pix01: device_id=pix01 [Root]system-critical-00440:
John
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list