[Snort-users] ...supposed to take this serious...?

Andreas Östling andreaso at ...236...
Fri Aug 4 08:07:08 EDT 2000


As you say, this is probably just https traffic.
I guess you are using this rule:
alert tcp any any -> any 20432 (msg:"IDS254 - DDoS shaft client to handler"; flags: AP;)
which alerts on all AP packets going to port 20432.

/Andreas


On Fri, 4 Aug 2000, Jan Muenther wrote:

> Hello folks,
> I found these in my snort.alert:
> 
> [**] IDS254 - DDoS shaft client to handler [**]
> 08/04-11:26:52.985637 212.227.109.138:443 -> 62.165.1.130:20432
> TCP TTL:53 TOS:0x0 ID:65264  DF
> *****PA* Seq: 0x63FD8DD9   Ack: 0xC1A80610   Win: 0x7D78
> 
> [**] IDS254 - DDoS shaft client to handler [**]
> 08/04-11:26:53.000024 212.227.109.138:443 -> 62.165.1.130:20432
> TCP TTL:53 TOS:0x0 ID:65265  DF
> *****PA* Seq: 0x63FD938D   Ack: 0xC1A80610   Win: 0x7D78
> 
> ...and a couple more...
> 
> Am I supposed to take this serious??? I (=my integrity checkers)
> haven't noticed any changes on any host and I think 443 could be
> usual https traffic...
> 
> So, what do you think...?
> 
> Bye, Jan
> -- 
> Radio HUNDERT,6 Medien GmbH Berlin
> - EDV -
> j.muenther at ...206...
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
> 





More information about the Snort-users mailing list