Re: [Snort-users] snort_decoder: Short UDP packet,

Yep, the name says it all:
71.5.87.148.in-addr.arpa name = tele-csvpn-gw-3-r.oracle.com.

It's a Cisco VPN gateway at Oracle. Do you (or your customer) have a
customer/partner that would be vpning back to Oracle?

Bammkkkk


On 9/12/06, Bamm Visscher <bamm.visscher@gmail.com> wrote:
> If I had to guess, I'd say you have a mangled IPSEC via UDP packet
> (normally associated w/port 4500). It'd be better if you had the
> actual packet (and any others belonging to the session) captured.
>
> Bammkkkk
>
>
> On 9/12/06, Eric Hines <eric.hines@appliedwatch.com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Has anyone seen this type of traffic before? Its a UDP Header Length >
> > Payload Length alert but whats odd is the UDP Length is being reported
> > as 4500 bytes! But the packet is actually quite small and you see its
> > not a fragment. The Source and Destination ports concern me along with
> > who owns that IP address. Is this possibly related to Oracle in any way?
> > Has anyone who runs Oracle seen this packet before? The IP owner
> > information is below as well.
> >
> > IP Header HEX removed for privacy.
> >
> > - ------------- packet --------------
> >
> > APPLIED WATCH EVENT INFORMATION:
> > Alert ID: 6388082
> > Priority: 3
> > Timestamp: Tue Sep 12 10:22:46 CDT 2006
> > Signature ID : 97
> > Message: snort_decoder: Short UDP packet, length field > payload length
> >
> > IP HEADER INFORMATION:
> > Ver: 4
> > Length: 108
> > Flags: 0
> > Checksum: 25081
> > Hlen: 5
> > ID: 1
> > TTL: 128
> > Source IP: XXX.XXX.XXX.XXX
> > TOS: 0
> > Offset: 0
> > Proto: 17
> > Dest IP: 148.87.5.71
> >
> > UDP PROTOCOL INFORMATION:
> > Source Port: 37892
> > Destination Port: 0
> > Length: 4500
> > Checksum: 4500
> >
> > PAYLOAD INFORMATION:
> > 9404 0000 1194 1194 0054 0000 250f d5a6 .G.........T..%...
> > 0000 0001 ee99 1554 273f 6db9 d50e 330c 8ae3 .......T'?m...3...
> > e1e8 7a9c 1720 53cc 692a dcf1 c68e e3cd 231b ..z.. S.i*......#.
> > 8699 782c 82b6 6573 ea9a ef43 2e19 9d62 5a14 ..x,..es...C...bZ.
> > 6478 e43e 25b2 480e 1d4e e9c0 5787 ee1e fbfd dx.>%.H..N..W.....
> >
> >
> > 148.87.5.71 is owned by Oracle it seems:
> > - -----------------------
> > OrgName: Oracle Datenbanksysteme GmbH
> > OrgID: ODG-3
> > Address: 500 Oracle Pkwy
> > City: Redwood Shores
> > StateProv: CA
> > PostalCode: 94065
> > Country: US
> >
> > NetRange: 148.87.0.0 - 148.87.255.255
> > CIDR: 148.87.0.0/16
> > NetName: ORACLE-AT
> > NetHandle: NET-148-87-0-0-1
> > Parent: NET-148-0-0-0-0
> > NetType: Direct Assignment
> > NameServer: NS1.ORACLE.COM
> > NameServer: NS4.ORACLE.COM
> > Comment:
> > RegDate: 1991-04-11
> > Updated: 2002-04-15
> >
> > RTechHandle: JKD7-ARIN
> > RTechName: Doyle, John K.
> > RTechPhone: +1-650-506-2380
> > RTechEmail: john.doyle@oracle.com
> >
> > - --
> >
> > Best Regards,
> >
> > Eric S. Hines, GCIA, CISSP
> > CEO, President, Chairman
> > Applied Watch Technologies, LLC
> >
> >
> > - --------------------------------------------------
> >
> > Eric S. Hines, GCIA, CISSP
> > CEO, President, Chairman
> > Applied Watch Technologies, LLC
> >
> > - --------------------------------------------------
> >
> > Email: eric.hines@appliedwatch.com
> > Address: 1095 Pingree Road
> > Suite 221
> > Crystal Lake, IL
> > 60014
> > Tel: (877) 262-7593 ext:327
> > Local: (847) 854-5831
> > Fax: (847) 854-5106
> > Web: http://www.appliedwatch.com
> >
> > - --------------------------------------------------
> > Security Management for the Open Source Enterprise
> >
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.4 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQFFBysj1va6QYTV0EMRAkE+AJwLPG9ch0ZFDuW18aY6yU czIneimQCfSP9B
> > IBagYj1HNpEVzIhfjREVeuk=
> > =OODh
> > -----END PGP SIGNATURE-----
> >
> >
> > -------------------------------------------------------------------------
> > Using Tomcat but need to do more? Need to support web services, security?
> > Get stuff done quickly with pre-integrated technology to make your job easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> > http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/...fo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.p...st=snort-users
> >
> >
> >
>
>
> --
> sguil - The Analyst Console for NSM
> http://sguil.sf.net
>


--
sguil - The Analyst Console for NSM
http://sguil.sf.net

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users