[Snort-sigs] spp_stream4 Steath activity

daniel.clemens daniel_clemens at ...842...
Fri May 30 11:45:08 EDT 2003

On Fri, 30 May 2003, John Hally wrote:

> Hello All,
> I'm seeing a good amount of these alerts coming from the stream4
> preprocessor.  For the most part the payload of the packets look normal, but
> they all have ACK,PUSH,RST set.   Has anyone else seen this behavior?  The
> traffic is originating from a proxy of some sort and destined for an
> 2000/IIS5 server, if that helps.

Correct me if I am wrong but stream4 is saying 'these packets are not in a
state table' so they are probably crafted packets.
Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200 | 877.806.8928

More information about the Snort-sigs mailing list