Snort mailing list archives
Re: What is this alert??
From: Wes Young <wcyoung () buffalo edu>
Date: Mon, 21 Mar 2005 08:48:03 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 it usually has to deal with one of 2 things: A hacker is trying to evade your IDS with funky resets (I'm pretty sure RST is resets) Or you have a program out there that is acting up/violating protocol not a 100% sure since i've not seen that many in real life, but something to go off of. I would check out the dst IP as a safety precaution, see if there is anything wierd running on it. Or see if it has shown up in your alert logs previously (till now). gl Marc Hering wrote: | Hey All, | I keep getting this same alert over and over and over (About 5k times | already since Thursday) | | (spp_stream4) possible EVASIVE RST detection | | I can't seem to find any usefull info on it aside from that it is | detecting a lot of RST requests...Is this a common alert that needs to | be tweaked or am I looking at something more sinister? | | Thanks! | <M> | - -- Wes Young Network Security Analyst University at Buffalo GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCPtCT1M5o0FsrrbERAsD3AJ0fHenSN0fBCuOlD8q5qHB/J8MXcgCePqyT 2PK5hN81Ia2aVFTrW4CbnYM= =g8/M -----END PGP SIGNATURE----- ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What is this alert?? Marc Hering (Mar 21)
- Re: What is this alert?? Wes Young (Mar 21)
- <Possible follow-ups>
- Re: What is this alert?? Richard Bejtlich (Mar 21)