(spp_stream4) STEALTH ACTIVITY (unknown) detection

["Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil>]

Hi all - 

I have some strange alerts I am not sure what to make of.  They are all
triggered by spp stream 4, apparently because the 'r1' or 'congestion window
reduced' flag is set (that's just a guess).  They all look like this:

05/22-10:21:27.947314 0:50:73:23:59:62 -> 8:0:20:C1:6F:F5 type:0x800
len:0x3C
xxx.xxx.xxx.xxx:80 -> xxx.xxx.xxx.xxx:29791 TCP TTL:50 TOS:0x0 ID:24615
IpLen:20 DgmLen:40 DF
1**A*R** Seq: 0x0  Ack: 0x583C  Win: 0x0  TcpLen: 20

what you cant see from the -O output is the source ip is xxx.xxx.xxx.255,
apparently a broadcast address.  There are 71 alerts, and 65 unique
destination addresses.  The dest ip's are all in my $Home_Net, many are
unused, and _none_ should be surfing the web.

Any idea what the 4377 this is?   I have attached the packet capture file if
it helps.

Thanks,

Benjamin Everist

Attachment: snort.log.1051805857
Description: