[Snort-sigs] Help with TCP

Joe Matusiewicz joem at ...555...
Thu Aug 29 08:17:01 EDT 2002


The flags set are urgent, reset, ack, and the second reserved bit.  The 
incidents list reported similar traffic from port 18245 to 21536 and may 
explain the mystery:

http://lists.insecure.org/incidents/2000/Nov/0177.html


-- Joe

At 10:31 AM 8/29/02, Brett.Gillett at ...772... wrote:
>Hey everyone,
>
>Just wondering if anyone could shed some light on this packet we captured
>using Snort. We captured it using a custom signature,
>
>[**] [1:0:0] XXXXXXXXXXXXXXXXXXXXX [**]
>08/29-10:12:15.108174 SSS.SSS.SSS.80:18245 -> DDD.DDD.DDD.1:21536
>TCP TTL:119 TOS:0x0 ID:30214 IpLen:20 DgmLen:269 DF
>*2UA*R** Seq: 0x2F656E2F  Ack: 0x73637269  Win: 0x732F  TcpLen: 28  UrgPtr:
>0x7269
>TCP Options (1) => Opt 112 (40): 732E 6A73 2048 5454 502F 312E 310D 0A41
>6363 6570 743A 202A 2F2A 0D0A 5265 6665 7265 723A 2068 7474
>
>I am interested in understanding the TCP options section and the TCP flags
>that have been set.  Also,  has anyone else seen anything destined to port
>21536, I





More information about the Snort-sigs mailing list