Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange Alerts

From: Neil Dickey <neil () geol niu edu>
Date: Wed, 23 Apr 2003 10:31:11 -0500 (CDT)

Brett.Gillett () tsx com wrote asking:


I have a question regarding alerts that we started to receive once we 
upgraded to Snort 2.0, it seems that all of our sensors started generating 
T/TCP Detected alerts


T/TCP stands for "Transaction TCP", and is a way of dispensing with the
customary three-way handshake used to initiate a TCP exchange over the
network.  Do a Google on "t/tcp" and you'll find out lots about it, but
here's a link to get started:

  http://ttcplinux.sourceforge.net/

I grepped the source IP in my webserver logs and have so far found that
these packets are commonly associated with "normal" sessions involving
Microsoft IE clients.  Are you hosting any websites?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: