Port 5000 Traffic Continues; Fragmented tcp/16191 Update
Port 5000 Traffic Continues. As reported in yesterday's diary, two worms (Bobax and Kibuv.B) are responsible for the increase in tcp/5000 traffic. Microsoft Windows systems that are currently patched are not vulnerable to either worm.
Fragmented tcp/16191 Update Additional information on the report of fragmented IP traffic towards port 16191 in the May 14 diary ( http://isc.sans.org/diary.php?date=2004-05-14 ) arrived in the mailbag today. James tells us,
"I have seen this before inside my network, and recently am seeing it again, including a couple of hits from outside now. Using Cisco v2 IDS sensors on my internal network I always see these as a set of 3 signatures:
1203 - IP fragment overwrite - Data is overwritten
1204 - IP fragment missing initial fragment
1208 - IP fragment incomplete dgram
The Cisco IDS usually indicates whether a port is a TCP or UDP port, but in this case the protocol field of the alert simply says IP."
Handler Ed Skodis explains, "That's likely because the higher-layer protocol (TCP or UDP) header is typically included in the first fragment, including the port number itself. Therefore, because you are getting:
1204 - IP fragment missing initial fragment
You aren't seeing the TCP/UDP stuff, so the IDS labels it merely as IP."
Additional details from Cisco on packet fragmentation is online at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids4/11657_02.htm#xtocid11
Marcus H. Sachs
Handler on Duty
Fragmented tcp/16191 Update Additional information on the report of fragmented IP traffic towards port 16191 in the May 14 diary ( http://isc.sans.org/diary.php?date=2004-05-14 ) arrived in the mailbag today. James tells us,
"I have seen this before inside my network, and recently am seeing it again, including a couple of hits from outside now. Using Cisco v2 IDS sensors on my internal network I always see these as a set of 3 signatures:
1203 - IP fragment overwrite - Data is overwritten
1204 - IP fragment missing initial fragment
1208 - IP fragment incomplete dgram
The Cisco IDS usually indicates whether a port is a TCP or UDP port, but in this case the protocol field of the alert simply says IP."
Handler Ed Skodis explains, "That's likely because the higher-layer protocol (TCP or UDP) header is typically included in the first fragment, including the port number itself. Therefore, because you are getting:
1204 - IP fragment missing initial fragment
You aren't seeing the TCP/UDP stuff, so the IDS labels it merely as IP."
Additional details from Cisco on packet fragmentation is online at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids4/11657_02.htm#xtocid11
Marcus H. Sachs
Handler on Duty
Keywords:
0 comment(s)
×
Diary Archives
Comments