Snort mailing list archives
Re: Detecting TCP session without data after three-wayhandshake
From: "Giles Coochey" <giles () coochey net>
Date: Fri, 4 Nov 2011 10:39:00 +0100
On Fri, November 4, 2011 03:56, Jason Haar wrote:
1. our DNS was hacked/dumped - nope 2. our workstations/browser histories were dumped - nope 3. the bots are scraping initial HTTPS SSL exchanges and capturing FQDNs - that's what I'm guessing
4. Your CA was hacked (it's happened before). ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Detecting TCP session without data after three-way handshake Willst Mail (Nov 02)
- Re: Detecting TCP session without data after three-way handshake Edward Fjellskål (Nov 03)
- Re: Detecting TCP session without data after three-wayhandshake Jason Haar (Nov 03)
- Re: Detecting TCP session without data after three-wayhandshake Giles Coochey (Nov 04)
- Re: Detecting TCP session without data after three-wayhandshake Martin Holste (Nov 04)
- Re: Detecting TCP session without data after three-wayhandshake Seth Hall (Nov 04)