Strange Packet (invert ip)

_rmkml · September 19, 2004, 9:17pm

Hi,

I received this packet : (tcpdump383)

1095628174.157851 IP (tos 0x0, ttl 117, id 62764, offset 0, flags [none], length: 40) 211.91.135.39.80 > x.x.x.x.52510: S [tcp sum ok] 3738538976:3738538996(20) a
ck 1775556062 win 8760

but bro09a5, event this :

1095628174.157850 WeirdActivity bad_TCP_header_len x.x.x.x/52510 > 211.91.135.39/80

tethereal0101 :

1 23:09:34.157851 211.91.135.39 -> x.x.x.x TCP 80 > 52510 [SYN, ACK] Seq=0 Ack=1 Win=8760, bogus TCP header length (0, must be at least 20)

snort220 :

09/19-23:09:34.157851 [**] [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**] [Classification: A suspicious filename was detected] [Priority: 2] {TCP} 211.91.135.39:0 -> x.x.x.x:0

Why bro invert ip ?

and why bro use bad tcp port ?

Regards

Rmkml@Wanadoo.fr

Topic		Replies	Views
Strange Packet (invert ip) Zeek	1	83	May 6, 2022
Strange Packet (invert ip) Zeek	1	93	May 6, 2022
Bro bug? Zeek	1	149	May 6, 2022
bad_tcp_checksum Zeek	5	188	May 6, 2022
Bro Digest, Vol 109, Issue 14 Zeek	2	116	May 6, 2022

Strange Packet (invert ip)

Related topics