Re: Data in SYN Packets

[Mark Newman <mnx () UTK EDU>]

Hi-
the 3DNS theory is as close to being reasonable as anything anyone could
suggest...without seeing a full packet dump...so, even though I love
that darn Google...searching through a packet dump is a better place to
start.

...with many commercial IPS/IDS, you get lots of fancy signatures,
flexibility in response, a supposedly better ~approximation~ towards
anomaly detection, blobbity-blah-blah...but, aren't privileged enough to
see the actual structure of the signatures...(may the sun continue to
shine forever on open source)

...to have the most accurate understanding of what is really happening
you have to be able to (1) see and understand the stimulus/response (the
packets), (2) understand how the stimulus/response is processed by the
100 gajillion dollar IPS/IDS (the structure and inner workings of the
signature, etc. - yeah, right), and (3) distinguish and understand the
"alert" or "response" (if you get one...) as useful or...not

Mark Newman
University of Tennessee, Knoxville

On Mon, 2007-03-26 at 15:51 -0400, scott hollatz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > Hello,
> >
> > In our IPS log I see the following entry *TCP C2S Ambiguity: Data in
> > SYN Packet* daily directed towards our DNS server. These packets are
> > coming from four or so different addresses in China.  I did a brief
> > Google search with results being a few or more years old. A couple
> of
> > the posts reported the same *Data in SYN Packet* with the
> > originating addresses also from China.
> >
> > Can anybody shed light on this?
> >
> > Thank you very much.
>
> Could be 3DNS software for measuring DNS response time to find
> quickest
> response to web requests, ususally measured from several systems.
>
> > Mike Hanson
> > Network Security Manager
> > The College of St. Scholastica
> > Duluth, MN 55811
> >
> > ( mailto:n () css edu )
>
> - --
> scott hollatz                                        net
> shollatz () d UMn eDu
> information technology systems and services          tel +1 218 726
> 8851
> university of minnesota duluth mn usa                fax +1 218 726
> 7674
>
> --
>                                                "Asn aD ta zlAp em uT
> zt33rg"
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (SunOS)
>
> iD8DBQFGCCRa4og1WWfEVRsRAgKiAJ9f/A8s3zIFRKUduhry+/Pf/Ml+pACfSR6J
> LoFFPH54COFpaMhTJkndEQo=
> =mbgQ
> -----END PGP SIGNATURE-----