Security Basics mailing list archives
RE: TCP Syn Flooding
From: neopara <neopara () shaw ca>
Date: Thu, 20 Feb 2003 18:14:58 -0600
Most of the stand-alone or built-in(ie. firewalls) IDSes use regular expression to analyzes the packets it is receiving. Now if a regular expression returns true after it is compared to a packet, then the IDS will alert admin. In the world of IDS, pre-made regular expression are called signatures. Hence the name signature based alerts. If you ever used a IDS like RealSecure or Snort, this can cause some headaches because the signatures are to vague, and they get triggered to easily. That is why IDSes are not the end all solution. When you get an alert, check it out, but don't think right off the bat you are getting attacked. I hope that helped a bit. Paul Sliwowski On Tue, 2003-02-18 at 12:22, Tim Laureska wrote:
Uuh... basic question I'm sure but what do you mean by a "signature based alert"? -----Original Message----- From: neopara [mailto:neopara () shaw ca] Sent: Tuesday, February 18, 2003 12:32 AM To: security-basics Subject: Re: TCP Syn Flooding On Sat, 2003-02-15 at 08:20, Tim Laureska wrote:OK. I just installed a Netgear firewall box between a cable modem andaNT 4.0 server on a small network.. and set it up to email me attemptsatsecurity breaches. I am brand new to these devices and a relative neophyte to internet/internal network security. So the question is this. I received this message a few times yesterday after I installed thebox:Fri, 02/14/2003 20:35:01 - TCP connection dropped - Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN - 'TCP:Syn Flooding' End of Log ---------- What should I make of this? T.It could also be a false positive? IDSes are kinda sensitive to syn flood signatures. I am guesses your firewall is just dropping the syn packet, so an application could be repeatedly trying to establish a connection which is triggering that signature. It would help to know if there is an legitimate application that hits port 20306. P.S. You should take signature based alerts with a grain of salt. Pawel Sliwowski Nothing More, For Me to Say, About my life, A Life of Dreams....
-- Nothing More, For Me to Say, About my life, A Life of Dreams....
Current thread:
- TCP Syn Flooding Tim Laureska (Feb 17)
- Re: TCP Syn Flooding Matt Thoene (Feb 17)
- Re: TCP Syn Flooding Ivan Hernandez (Feb 17)
- RE: TCP Syn Flooding Craig Searle (Feb 18)
- RE: TCP Syn Flooding Tim Laureska (Feb 18)
- RE: TCP Syn Flooding Craig Searle (Feb 18)
- RE: TCP Syn Flooding Tim Laureska (Feb 18)
- RE: TCP Syn Flooding Tim Laureska (Feb 18)
- Re: TCP Syn Flooding Anders Reed Mohn (Feb 18)
- Re: TCP Syn Flooding neopara (Feb 18)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)
- RE: TCP Syn Flooding neopara (Feb 20)
- Windows auditing eric (Feb 22)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)
- <Possible follow-ups>
- RE: TCP Syn Flooding Michael Parker (Feb 17)
- RE: TCP Syn Flooding Anomaly (Feb 18)
- Re: TCP Syn Flooding Chris Berry (Feb 17)
- re: TCP Syn Flooding H C (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 18)
- RE: TCP Syn Flooding Fields, James (Feb 18)
- RE: TCP Syn Flooding s7726 (Feb 19)
- RE: TCP Syn Flooding Michael Parker (Feb 19)