Educause Security Discussion mailing list archives
Re: Data in SYN Packets
From: Mark Newman <mnx () UTK EDU>
Date: Mon, 26 Mar 2007 18:09:07 -0400
Hi- the 3DNS theory is as close to being reasonable as anything anyone could suggest...without seeing a full packet dump...so, even though I love that darn Google...searching through a packet dump is a better place to start. ...with many commercial IPS/IDS, you get lots of fancy signatures, flexibility in response, a supposedly better ~approximation~ towards anomaly detection, blobbity-blah-blah...but, aren't privileged enough to see the actual structure of the signatures...(may the sun continue to shine forever on open source) ...to have the most accurate understanding of what is really happening you have to be able to (1) see and understand the stimulus/response (the packets), (2) understand how the stimulus/response is processed by the 100 gajillion dollar IPS/IDS (the structure and inner workings of the signature, etc. - yeah, right), and (3) distinguish and understand the "alert" or "response" (if you get one...) as useful or...not Mark Newman University of Tennessee, Knoxville On Mon, 2007-03-26 at 15:51 -0400, scott hollatz wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Hello, In our IPS log I see the following entry *TCP C2S Ambiguity: Data in SYN Packet* daily directed towards our DNS server. These packets are coming from four or so different addresses in China. I did a brief Google search with results being a few or more years old. A coupleofthe posts reported the same *Data in SYN Packet* with the originating addresses also from China. Can anybody shed light on this? Thank you very much.Could be 3DNS software for measuring DNS response time to find quickest response to web requests, ususally measured from several systems.Mike Hanson Network Security Manager The College of St. Scholastica Duluth, MN 55811 ( mailto:n () css edu )- -- scott hollatz net shollatz () d UMn eDu information technology systems and services tel +1 218 726 8851 university of minnesota duluth mn usa fax +1 218 726 7674 -- "Asn aD ta zlAp em uT zt33rg" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iD8DBQFGCCRa4og1WWfEVRsRAgKiAJ9f/A8s3zIFRKUduhry+/Pf/Ml+pACfSR6J LoFFPH54COFpaMhTJkndEQo= =mbgQ -----END PGP SIGNATURE-----
Current thread:
- Data in SYN Packets Mike Hanson (Mar 26)
- <Possible follow-ups>
- Re: Data in SYN Packets Justin Klein Keane (Mar 26)
- Re: Data in SYN Packets scott hollatz (Mar 26)
- Re: Data in SYN Packets Gibson, Nathan J. (HSC) (Mar 26)
- Re: Data in SYN Packets Mark Newman (Mar 26)
- Re: Data in SYN Packets Valdis Kletnieks (Mar 26)
- Re: Data in SYN Packets John Kristoff (Mar 27)
- Re: Data in SYN Packets scott hollatz (Mar 27)