Snort mailing list archives

Re: Too many stealth alerts

From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 15 Apr 2002 12:28:14 -0700 (PDT)

On Mon, 15 Apr 2002, Estes, Matt CPR / FCBS wrote:

I routinely(!) get "Stealth" packets from talkative Exchange servers... is
this ok?  Why would a machine possible have null flags or every flag set in
a TCP packet.

Hardware problems?


Yep.  Running a MS OS on it.  ;-)

MS has a nasty habit of not following RFC's.  Due to that in many ways the
TCP/IP stack of some boxes seems 'broken', since it's not all quite standard.
But you're right....  That's not the way it should be.  Something is off
somewhere.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Too many stealth alerts Estes, Matt CPR / FCBS (Apr 15)
- Re: Too many stealth alerts Erek Adams (Apr 15)
- <Possible follow-ups>
- RE: Too many stealth alerts Estes, Matt CPR / FCBS (Apr 15)