Security Incidents mailing list archives

RE: Strange TCP headers

From: Robert Buckley <rbuckley () synapsemail com>
Date: Fri, 10 May 2002 13:40:04 -0400

pb,
        < It's not like there's
a standard signature... ACK FIN URG set or something. Some have two flags,
some have three, some have all six, some have none. It really seems like
someone is manipulating these packets. >

It sure does seem that way, in fact I noticed in some of your output that
the header size was 0.
Now we all know thats a sure impossibility. Pix wont pass anything from a
high -> low interface
without a bare SYN on it 1st anyways, so we can bet its not going to get
anywhere.
Mirror a port and throw a sniffer there and monitor the port in question. If
you find 
the garbage is truly garbage, and pix is reporting correctly, trace it back
to the user.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange TCP headers pbsarnac (May 10)
- Re: Strange TCP headers Matt Zimmerman (May 10)
- Re: Strange TCP headers Michel Arboi (May 11)
  - RE: Strange TCP headers Benjamin Tomhave (May 11)
- <Possible follow-ups>
- RE: Strange TCP headers Robert Buckley (May 10)
- RE: Strange TCP headers pbsarnac (May 10)
- RE: Strange TCP headers Robert Buckley (May 10)
  - RE: Strange TCP headers Dano (May 11)