Snort mailing list archives
Re: bad traffic in syn packet
From: Brian Coyle <brian () linuxwidows com>
Date: Tue, 6 Sep 2005 21:30:26 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [snort-sigs dropped from reply as it's OT for that list] On Tuesday 06 September 2005 09:10, John Hally wrote:
Need a quick sanity check here. I'm seeing alerts for traffic in syn packets, and all are destined for TCP/53. Is it possible that data is being piggy-backed in the syn packet on purpose and the traffic is benign? I don't see any other anomalies to or from these hosts, but wanted to make sure that I'm not overlooking something obvious.
Take a look at this analysis and see if it matches your traffic- http://cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00123.html - -- Redundancy? You can say that again! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Brian Coyle, GCIA http://www.giac.org/GCIA.php iD8DBQFDHkK6ER3MuHUncBsRAvJJAJ9eCoWfj2drGVTA36QzSC8GTsfMaQCggLXT 6UyDHARlgD3RIS/UK2Q47Uk= =KqNH -----END PGP SIGNATURE----- ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- bad traffic in syn packet John Hally (Sep 06)
- Re: [Snort-sigs] bad traffic in syn packet Frank Knobbe (Sep 07)
- Re: bad traffic in syn packet Brian Coyle (Sep 19)