Re: What is this alert??

[Wes Young <wcyoung () buffalo edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

it usually has to deal with one of 2 things:

A hacker is trying to evade your IDS with funky resets (I'm pretty sure
RST is resets)

Or you have a program out there that is acting up/violating protocol

not a 100% sure since i've not seen that many in real life, but
something to go off of.

I would check out the dst IP as a safety precaution, see if there is
anything wierd running on it. Or see if it has shown up in your alert
logs previously (till now).

gl

Marc Hering wrote:
| Hey All,
| I keep getting this same alert over and over and over (About 5k times
| already since Thursday)
|
| (spp_stream4) possible EVASIVE RST detection
|
| I can't seem to find any usefull info on it aside from that it is
| detecting a lot of RST requests...Is this a common alert that needs to
| be tweaked or am I looking at something more sinister?
|
| Thanks!
| <M>
|

- --
Wes Young
Network Security Analyst
University at Buffalo
GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCPtCT1M5o0FsrrbERAsD3AJ0fHenSN0fBCuOlD8q5qHB/J8MXcgCePqyT
2PK5hN81Ia2aVFTrW4CbnYM=
=g8/M
-----END PGP SIGNATURE-----


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users