[Bro] Strange Packet (invert ip)
rmkml
rmkml at wanadoo.fr
Sun Sep 19 14:17:13 PDT 2004
Hi,
I received this packet : (tcpdump383)
1095628174.157851 IP (tos 0x0, ttl 117, id 62764, offset 0, flags [none],
length: 40) 211.91.135.39.80 > x.x.x.x.52510: S [tcp sum ok]
3738538976:3738538996(20) a
ck 1775556062 win 8760
but bro09a5, event this :
1095628174.157850 WeirdActivity
bad_TCP_header_len x.x.x.x/52510 > 211.91.135.39/80
tethereal0101 :
1 23:09:34.157851 211.91.135.39 -> x.x.x.x TCP 80 > 52510 [SYN,
ACK] Seq=0 Ack=1 Win=8760, bogus TCP header length (0, must be at least
20)
snort220 :
09/19-23:09:34.157851 [**] [116:46:1] (snort_decoder) WARNING: TCP Data
Offset is less than 5! [**] [Classification: A suspicious filename was
detected] [Priority: 2] {TCP} 211.91.135.39:0 -> x.x.x.x:0
Why bro invert ip ?
and why bro use bad tcp port ?
Regards
Rmkml at Wanadoo.fr
More information about the Bro
mailing list