stream4: Stealth activity

[Paul Schmehl <pauls () utdallas edu>]

Recently we've been seeing what appears to be coordinated activity 
tripping this alert.  I've pretty much ignored these alerts in the past 
because 1) I don't really understand what they mean and 2) They seemed 
to be somewhat random as to src and 3) Many of them come from networks 
that I know to be ones our users are using from home.

But this recent activity has me curious as to precisely what this alert 
means.  We're seeing two and sometimes three hosts from the same /24 
(and multiple 24/s) setting off this alert.  That seems to stretch the 
possibility of randomness to the breaking point.

I gather (from pgs 22 and 23 of the manual) that the stream4 
preprocessor reassembles fragmented packets allowing you to track 
sessions, so I surmise that the stealth activity is an attempt to bypass 
detection through fragmenting or sending meaningless sequence numbers, 
but......bypass detection of what?  Is this a variation of some type of 
discovery activity?  Or could it be an actual attack against a large 
number of hosts?

Before I plow into the source code and give myself an enormous headache, 
is anyone on the list an expert on this *and* have the time to explain 
it to poor little me?

--
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature