Re: High FPs on New Stream5 Anomalies & Others

[waldo kitty <wkitty42 () windstream net>]

On 1/26/2011 13:24, Merida, Dylan wrote:
> We have another IDS type box from Actiance (Recently changed their name from
> FaceTime after selling it to Apple) that sprays TCP RSTs out at connections it
> doesn't like; I suspect this may be causing the "Reset outside window" alert to
> trigger and maybe the FIN number issues.

you may very well be seeing this type of activity... especially from certain 
cable broadband suppliers who are trying to block or otherwise cause a hard time 
for those using p2p crapplications... they are injecting such as this into the 
stream so as to cause both ends of the connections to reset... this, of course, 
causes those ends to simply try again and again and again actually increasing 
traffic for a while until the software may finally move on to another IP for 
those file segments it is looking for...

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users