[Snort-users] every connection a portscan....??

Phil Wood cpw at ...440...
Thu Oct 5 15:49:58 EDT 2000


Check out RFC481 "A Proposal to add Explicit Congestion Notification (ECN) to IP"

On Thu, Oct 05, 2000 at 06:20:17PM +0200, Jan Muenther wrote:
> I have this one host which make the portscan preprocessor go wild
> every time a TCP connection is established...
> 
> I think it's the first packet send from the remote host with
> strange TCP flags being set... like this:
> 
> [**] IDS029 - SCAN-Possible Queso Fingerprint attempt [**]
> 09/26-18:09:03.858555 149.221.232.4:1069 -> xx.xxx.x.xxx:25
> TCP TTL:49 TOS:0x0 ID:0  DF
> 21S***** Seq: 0x214F4222   Ack: 0x0   Win: 0x16D0
> TCP Options => MSS: 1460 SackOK TS: 60719014 0 NOP WS: 0 
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> I know from my mail logs that this was probably nothing else than
> a mail being delivered, so it doesn't really prevent me from
> sleeping. Still, I'd like to know where these flags come from...
> or is something else triggering snort alerts and I'm too silly to
> see it??
> 
> The strange flags could also trigger the fingerprint alert
> because - as we all know after readings Fyodor's Phrack paper
> ;o)) - the reaction towards these can be very telling. 
> 
> Hm. Anybody seen this and knows what causes it...?? I can
> reproduce it by manually making a TCP connection with every given
> protocol, so it's not smtp specific...
> 
> TIA, 
> 
> Cheers, Jan
> -- 
> Radio HUNDERT,6 Medien GmbH Berlin
> - EDV -
> j.muenther at ...206...
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Phil Wood, cpw at ...440...




More information about the Snort-users mailing list