[Snort-users] every connection a portscan....??

Jan Muenther jan at ...206...
Thu Oct 5 12:20:17 EDT 2000

I have this one host which make the portscan preprocessor go wild
every time a TCP connection is established...

I think it's the first packet send from the remote host with
strange TCP flags being set... like this:

[**] IDS029 - SCAN-Possible Queso Fingerprint attempt [**]
09/26-18:09:03.858555 -> xx.xxx.x.xxx:25
TCP TTL:49 TOS:0x0 ID:0  DF
21S***** Seq: 0x214F4222   Ack: 0x0   Win: 0x16D0
TCP Options => MSS: 1460 SackOK TS: 60719014 0 NOP WS: 0 


I know from my mail logs that this was probably nothing else than
a mail being delivered, so it doesn't really prevent me from
sleeping. Still, I'd like to know where these flags come from...
or is something else triggering snort alerts and I'm too silly to
see it??

The strange flags could also trigger the fingerprint alert
because - as we all know after readings Fyodor's Phrack paper
;o)) - the reaction towards these can be very telling. 

Hm. Anybody seen this and knows what causes it...?? I can
reproduce it by manually making a TCP connection with every given
protocol, so it's not smtp specific...


Cheers, Jan
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...

More information about the Snort-users mailing list