Snort mailing list archives
Re: [Snort-sigs] bad traffic in syn packet
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 07 Sep 2005 13:17:14 -0500
On Tue, 2005-09-06 at 09:10 -0400, John Hally wrote:
Need a quick sanity check here. I'm seeing alerts for traffic in syn packets, and all are destined for TCP/53. Is it possible that data is being piggy-backed in the syn packet on purpose and the traffic is benign? I don't see any other anomalies to or from these hosts, but wanted to make sure that I'm not overlooking something obvious.
Heya John, what is the data in question? Anything identifiable? If not, these could be probes from load-balancers. Perhaps you can see a pattern by src or dst? Cheers, Frank -- Ciscogate: Shame on Cisco. Double-Shame on ISS.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- bad traffic in syn packet John Hally (Sep 06)
- Re: [Snort-sigs] bad traffic in syn packet Frank Knobbe (Sep 07)
- Re: bad traffic in syn packet Brian Coyle (Sep 19)