Security Incidents mailing list archives

strange packets

From: "Jason R. Seats" <Jason.Seats () TechGuardSecurity com>
Date: Mon, 25 Jun 2001 11:05:22 -0500

I also posted on the ids list last week-

I recently came across several packets resembling this while tcpdumping.

14:35:10.076207 0:50:8b:f0:13:15 1:0:5e:1:2:3 ip 116: 192.168.50.46.402

225.1.2.3.402:  udp 74

                         4500 0066 07df 0000 2011 bccd c0a8 322e
                         e101 0203 0192 0192 0052 efee 5265 7175
                         6573 743d 4765 7453 6572 7665 720a 4d41
                         432d 4164 6472 6573 733d 3030 3530 3842
                         4630 3133 3135 0a41 6464 6c2d 4d41 432d
                         4164 6472 6573 733d 3030 3530 3842 4630
                         3133 3135 0a00

All the packets were 192.168.50.*:402 -> 225.1.2.3:402 
and when decoding the contents they are carrying:

Request=GetServer
MAC-Address=00508BF01315
Addl-MAC-Address=00508BF01315


If you notice, that is the MAC of the 192. machine that sent the
packet.  There were no responses from the 225. addy, but several packets
like this sent.

Look familiar to anyone?

Thanks in advance.
-- 
Jason Seats
Information Security Software Engineer
TechGuard Security
jason.seats () techguardsecurity com
www.techguardsecurity.com
636-519-4848

Current thread:

strange packets Jason R. Seats (Jun 25)
- Re: strange packets max (Jun 26)
- <Possible follow-ups>
- Re: strange packets Hugo van der Kooij (Jun 27)