[Snort-users] every connection a portscan....??
cpw at ...440...
Thu Oct 5 15:49:58 EDT 2000
Check out RFC481 "A Proposal to add Explicit Congestion Notification (ECN) to IP"
On Thu, Oct 05, 2000 at 06:20:17PM +0200, Jan Muenther wrote:
> I have this one host which make the portscan preprocessor go wild
> every time a TCP connection is established...
> I think it's the first packet send from the remote host with
> strange TCP flags being set... like this:
> [**] IDS029 - SCAN-Possible Queso Fingerprint attempt [**]
> 09/26-18:09:03.858555 220.127.116.11:1069 -> xx.xxx.x.xxx:25
> TCP TTL:49 TOS:0x0 ID:0 DF
> 21S***** Seq: 0x214F4222 Ack: 0x0 Win: 0x16D0
> TCP Options => MSS: 1460 SackOK TS: 60719014 0 NOP WS: 0
> I know from my mail logs that this was probably nothing else than
> a mail being delivered, so it doesn't really prevent me from
> sleeping. Still, I'd like to know where these flags come from...
> or is something else triggering snort alerts and I'm too silly to
> see it??
> The strange flags could also trigger the fingerprint alert
> because - as we all know after readings Fyodor's Phrack paper
> ;o)) - the reaction towards these can be very telling.
> Hm. Anybody seen this and knows what causes it...?? I can
> reproduce it by manually making a TCP connection with every given
> protocol, so it's not smtp specific...
> Cheers, Jan
> Radio HUNDERT,6 Medien GmbH Berlin
> - EDV -
> j.muenther at ...206...
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
Phil Wood, cpw at ...440...
More information about the Snort-users