Re: [Snort-users] snort_decoder: Short UDP packet,

If I had to guess, I'd say you have a mangled IPSEC via UDP packet
(normally associated w/port 4500). It'd be better if you had the
actual packet (and any others belonging to the session) captured.

Bammkkkk


On 9/12/06, Eric Hines <eric.hines@appliedwatch.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Has anyone seen this type of traffic before? Its a UDP Header Length >
> Payload Length alert but whats odd is the UDP Length is being reported
> as 4500 bytes! But the packet is actually quite small and you see its
> not a fragment. The Source and Destination ports concern me along with
> who owns that IP address. Is this possibly related to Oracle in any way?
> Has anyone who runs Oracle seen this packet before? The IP owner
> information is below as well.
>
> IP Header HEX removed for privacy.
>
> - ------------- packet --------------
>
> APPLIED WATCH EVENT INFORMATION:
> Alert ID: 6388082
> Priority: 3
> Timestamp: Tue Sep 12 10:22:46 CDT 2006
> Signature ID : 97
> Message: snort_decoder: Short UDP packet, length field > payload length
>
> IP HEADER INFORMATION:
> Ver: 4
> Length: 108
> Flags: 0
> Checksum: 25081
> Hlen: 5
> ID: 1
> TTL: 128
> Source IP: XXX.XXX.XXX.XXX
> TOS: 0
> Offset: 0
> Proto: 17
> Dest IP: 148.87.5.71
>
> UDP PROTOCOL INFORMATION:
> Source Port: 37892
> Destination Port: 0
> Length: 4500
> Checksum: 4500
>
> PAYLOAD INFORMATION:
> 9404 0000 1194 1194 0054 0000 250f d5a6 .G.........T..%...
> 0000 0001 ee99 1554 273f 6db9 d50e 330c 8ae3 .......T'?m...3...
> e1e8 7a9c 1720 53cc 692a dcf1 c68e e3cd 231b ..z.. S.i*......#.
> 8699 782c 82b6 6573 ea9a ef43 2e19 9d62 5a14 ..x,..es...C...bZ.
> 6478 e43e 25b2 480e 1d4e e9c0 5787 ee1e fbfd dx.>%.H..N..W.....
>
>
> 148.87.5.71 is owned by Oracle it seems:
> - -----------------------
> OrgName: Oracle Datenbanksysteme GmbH
> OrgID: ODG-3
> Address: 500 Oracle Pkwy
> City: Redwood Shores
> StateProv: CA
> PostalCode: 94065
> Country: US
>
> NetRange: 148.87.0.0 - 148.87.255.255
> CIDR: 148.87.0.0/16
> NetName: ORACLE-AT
> NetHandle: NET-148-87-0-0-1
> Parent: NET-148-0-0-0-0
> NetType: Direct Assignment
> NameServer: NS1.ORACLE.COM
> NameServer: NS4.ORACLE.COM
> Comment:
> RegDate: 1991-04-11
> Updated: 2002-04-15
>
> RTechHandle: JKD7-ARIN
> RTechName: Doyle, John K.
> RTechPhone: +1-650-506-2380
> RTechEmail: john.doyle@oracle.com
>
> - --
>
> Best Regards,
>
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
>
>
> - --------------------------------------------------
>
> Eric S. Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
>
> - --------------------------------------------------
>
> Email: eric.hines@appliedwatch.com
> Address: 1095 Pingree Road
> Suite 221
> Crystal Lake, IL
> 60014
> Tel: (877) 262-7593 ext:327
> Local: (847) 854-5831
> Fax: (847) 854-5106
> Web: http://www.appliedwatch.com
>
> - --------------------------------------------------
> Security Management for the Open Source Enterprise
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFBysj1va6QYTV0EMRAkE+AJwLPG9ch0ZFDuW18aY6yU czIneimQCfSP9B
> IBagYj1HNpEVzIhfjREVeuk=
> =OODh
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
>
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...st=snort-users
>
>
>


--
sguil - The Analyst Console for NSM
http://sguil.sf.net

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users