bsdjunkie
March 18th, 2003, 18:55
What can you tell me about the following packet??


02:32:46.539097 x.x.x.x.2845 > y.y.y.y.23: SF 3570069217:3570069217(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)


:roll:

schotty
March 19th, 2003, 02:44
What can you tell me about the following packet??


02:32:46.539097 x.x.x.x.2845 > y.y.y.y.23: SF 3570069217:3570069217(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)


:roll:

at 02:32:46 someone from x.x.x.x port 2845 tried to ftp into y.y.y.y port 23

Kernel_Killer
March 19th, 2003, 03:54
Source used 2845 to telnet into destination. :?:

bsdjunkie
March 19th, 2003, 10:56
Ok, maybe i should get a little more specific on my question. What about this trace is "odd"? Should you see a packet like this in normal traffic?
BTW schotty, 23 isnt FTP :D

schotty
March 19th, 2003, 15:20
Ok, maybe i should get a little more specific on my question. What about this trace is "odd"? Should you see a packet like this in normal traffic?
BTW schotty, 23 isnt FTP :D

Doh, I meant that. I have a table of port lists that I always check. I was ftping some stuff last night, so maybe thats why I wrote that ...

I would have to answer the question you posed with no. IIRC (I dotn have tcpdump installed ATM to verify for sure, just going from memory) the TCP/IP commands are not quite right. The NOPs seem out of place for some reason.

Then again, I dont proclaim to be a security guru/God and I am going from memory ... Errors are bound to occur ;D

bsdjunkie
March 19th, 2003, 15:47
Ok, i think people are looking past the obvious currently. Hint: TCP Flags...
8)

soup4you2
March 20th, 2003, 09:29
SYN+FIN :?:

bsdjunkie
March 20th, 2003, 10:43
Yup, In normal traffic, Flags like Syn and Fin should not be set together.

Strog
March 20th, 2003, 12:09
Oh, Oh I know.

It was received at 2:32am :twisted:

You asked this one on IRC or one just like it. heheh

bsdjunkie
March 20th, 2003, 12:45
I posted this one on IRC the other nite hoping people would figure it out. =)

soup4you2
March 20th, 2003, 14:58
on freebsd you can add something in your rc.conf that will drop syn+fin packets

tcp_drop_synfin="YES"
however docs state that if you do this it will break RCF web compience.. but i've never seen any problems w/ it

sysctl
net.inet.tcp.syncookies=0

tarballed
March 20th, 2003, 16:56
syn+fin,
syn,ack,

All sorts of flags and connection items that I need to familiarize myself with.
Anyone know of where I can get my hands on some good documentation so I can learn about this and join in the fun and games of deciphering TCPDUMP logs and snort logs? :)

Tarballed, who is very stressed and tired... :?

|MiNi0n|
March 20th, 2003, 22:47
Anyone know of where I can get my hands on some good documentation so I can learn about this and join in the fun and games of deciphering TCPDUMP logs and snort logs? :)

The man page for nmap is always a good start:

http://www.insecure.org/nmap/data/nmap_manpage.html