Snort mailing list archives
BAD TRAFFIC data in TCP SYN packet
From: Lars Jørgensen IT <Lars.Jorgensen () pol dk>
Date: Mon, 14 Jan 2002 07:39:17 +0100
Hi! I get a lot of 01/14-02:24:17.089098 [**] [1:526:3] BAD TRAFFIC data in TCP SYN packet [**] [Classification: Misc activity] [Priority: 3] {TCP} 207.46.106.84:29291 -> 172.40.20.235:53 172.40.20.235 is my DNS server, but why would clients put data in the syn packets? According to RIPE, the source address is "ALLOCATED UNSPECIFIED", so I can't find out who's doing this. It comes from a limited number of addresses, they all seem to be 207.xx.xxx.xxx. I tried Google, but to no avail. Can anybody shed some light on this? Lars _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BAD TRAFFIC data in TCP SYN packet Lars Jørgensen IT (Jan 13)
- Re: BAD TRAFFIC data in TCP SYN packet Chris Keladis (Jan 13)
- Re: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
- Re: BAD TRAFFIC data in TCP SYN packet Dewey Paciaffi (Jan 14)
- Re: BAD TRAFFIC data in TCP SYN packet Martin Roesch (Jan 14)
- Re: BAD TRAFFIC data in TCP SYN packet Laurie Zirkle (Jan 15)
- <Possible follow-ups>
- Re: BAD TRAFFIC data in TCP SYN packet Tudor Panaitescu (Jan 14)
- SV: BAD TRAFFIC data in TCP SYN packet Lars Jørgensen IT (Jan 14)
- Re: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
- Re: SV: BAD TRAFFIC data in TCP SYN packet Dan Hollis (Jan 14)
- Re: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Austad, Jay (Jan 15)
(Thread continues...)