[Snort-sigs] spp_stream4 Steath activity

John Hally JHally at ...1106...
Fri May 30 14:23:01 EDT 2003


Is it possible then, for the state table to get flushed, and what I'm seeing
is just legitimate traffic that has had it's state info lost?  Based on the
payload, I'd say it's highly unlikely the packets were crafted, as it looks
like the basic web traffic from our app.

I thought the AckPushReset was a very odd.


-----Original Message-----
From: daniel.clemens
[mailto:daniel_clemens at ...842...]
Sent: Friday, May 30, 2003 9:41 AM
To: John Hally
Cc: 'snort-sigs at lists.sourceforge.net'
Subject: Re: [Snort-sigs] spp_stream4 Steath activity


On Fri, 30 May 2003, John Hally wrote:

> Hello All,
>
> I'm seeing a good amount of these alerts coming from the stream4
> preprocessor.  For the most part the payload of the packets look normal,
but
> they all have ACK,PUSH,RST set.   Has anyone else seen this behavior?  The
> traffic is originating from a proxy of some sort and destined for an
> 2000/IIS5 server, if that helps.


Correct me if I am wrong but stream4 is saying 'these packets are not in a
state table' so they are probably crafted packets.
-Dan
----------------------------------------------------------------------------
---------------------------------
Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200 | 877.806.8928
----------------------------------------------------------------------------
----------------------------------




More information about the Snort-sigs mailing list