Snort mailing list archives
(spp_stream4) STEALTH ACTIVITY (unknown) detection
From: "Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil>
Date: Fri, 23 May 2003 10:02:31 -0700
Hi all - I have some strange alerts I am not sure what to make of. They are all triggered by spp stream 4, apparently because the 'r1' or 'congestion window reduced' flag is set (that's just a guess). They all look like this: 05/22-10:21:27.947314 0:50:73:23:59:62 -> 8:0:20:C1:6F:F5 type:0x800 len:0x3C xxx.xxx.xxx.xxx:80 -> xxx.xxx.xxx.xxx:29791 TCP TTL:50 TOS:0x0 ID:24615 IpLen:20 DgmLen:40 DF 1**A*R** Seq: 0x0 Ack: 0x583C Win: 0x0 TcpLen: 20 what you cant see from the -O output is the source ip is xxx.xxx.xxx.255, apparently a broadcast address. There are 71 alerts, and 65 unique destination addresses. The dest ip's are all in my $Home_Net, many are unused, and _none_ should be surfing the web. Any idea what the 4377 this is? I have attached the packet capture file if it helps. Thanks, Benjamin Everist
Attachment:
snort.log.1051805857
Description:
Current thread:
- (spp_stream4) STEALTH ACTIVITY (unknown) detection Everist, Benjamin S. (NASWI) (May 23)