Security Incidents mailing list archives

RE: Suspect short first fragment?

From: "Ralph Los" <RLos () enteredge com>
Date: Thu, 28 Feb 2002 13:28:22 -0500

Fragmented port-0 (nmap) scan, with fragmentation enabled??  Just a thought.

----------------------------------------|
Ralph M. Los
Sr. Security Consultant and Trainer
          EnterEdge Technology, L.L.C.
          rlos () enteredge com
          (770) 955-9899 x.206
----------------------------------------| 

::-----Original Message-----
::From: jamie () jamie-sue org [mailto:jamie () jamie-sue org] 
::Sent: Thursday, February 28, 2002 12:57 PM
::To: incidents () securityfocus com
::Subject: Suspect short first fragment?
::
::
::
::
::I got several of these messages in my syslogd logs - 
::I'm using Redhat 7.1 
::              
::             any idea?  Is this an attack? 
::              
::             Suspect short first fragment.  
::             eth0 PROTO=17 212.15.64.83:0 
::200.186.111.146:0 L=20 S=0x00 I=40960 F=0x4000 
::T=116 
::             (#0)  
::
::--------------------------------------------------------------
::--------------
::This list is provided by the SecurityFocus ARIS analyzer 
::service. For more information on this free incident handling, 
::management 
::and tracking system please see: http://aris.securityfocus.com
::
::


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Suspect short first fragment? jamie (Feb 28)
- <Possible follow-ups>
- RE: Suspect short first fragment? Ralph Los (Feb 28)
- RE: Suspect short first fragment? Boyan Krosnov (Feb 28)