The last snort alert we identified to be automated behavior is BAD-TRAFFIC tcp port 0 traffic. The sources triggering the alerts are only five:
211.47.255.20 211.47.255.24 211.47.255.21 66.250.114.252 211.47.255.22
All these addresses did not trigger any other alerts. Something seems to be wrong with the network stacks of these machines; or a firewall/gateway in the network-path garbled the port numbers in some strange way. Another possibility for this type of traffic is fingerprinting[20] activity using port 0. This type of fingerprinting requires sending different packets to a machine from and to port zero. The responses from the targeted machines are then analyzed for specific behavior. Although port 0 is a valid TCP / UDP port number, it is highly recommend that one should block any traffic using this port. No program should be listening on port 0 and no program should connect from port 0. A tool called gobbler-2.0.1-alpha[11] can be used to perform port 0 fingerprinting and might be the source for these detects.
It would be interesting to do a similar analysis we did but instead of using packet inter arrival times, calculating the difference between IP IDs of packets from the same connection. One problem with only having the packets triggered by snort alerts is that this type of analysis would not be very successful as the gaps in the IDs would not be monotonous enough. This analysis would make more sense on raw tcpdump logs.