Security Incidents mailing list archives
bad IP traffic
From: "operator" <operator () email it>
Date: Wed, 11 Jun 2003 14:52:16 +0200
My company NIDS - i.e. snort 2.0 - is triggering since three/four days a lot of "BAD-TRAFFIC bad frag bits" alerts. These come out when a TCP packet has both fragment and don't_fragment bit on. Target of these alerts is almost always the IP address of a particular Web Server (one of our server farm). Other alerts are triggered on this target, some are common ones such as Apache worm for Apache old version but this is a usual maltraffic, but other ones are of type "bad TCP/IP traffic", such as anomalous TTL values for packets. It seems to me this could be a scan/gathering info technique, is it correct? can this be a False Positive ? Can this be something more dangerous? Any help will be very appreciated, Cheers, Max ============================================================== Lines below are "the price to pay" for a free service of a commercial ISP ============================================================== -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Viaggiare in aereo spendendo poco non è un sogno perchè Sterling fa dei tuoi sogni realtà, clicca subito Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=1227&d=11-6 ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- bad IP traffic operator (Jun 11)