[Snort-users] every connection a portscan....??

Tye F. Hammerle thammer at ...445...
Thu Oct 5 20:53:55 EDT 2000

As Phil pointed out they're probably using the ECN feature in the
experimental linux kernel.  An additional item of interest is that if
you're running a PIX firewall and it's seeing this it will not
recognize it as a valid connection attempt and will deny it.  At least
this is true with version 5.0.3. There are a couple of sites with mail
servers out there using ECN and they can't deliver mail to us because
of it. I've let them know but they chose not to reply.


----- Original Message -----
From: "Jan Muenther" <jan at ...206...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, October 05, 2000 11:20 AM
Subject: [Snort-users] every connection a portscan....??

> I have this one host which make the portscan preprocessor go wild
> every time a TCP connection is established...
> I think it's the first packet send from the remote host with
> strange TCP flags being set... like this:
> [**] IDS029 - SCAN-Possible Queso Fingerprint attempt [**]
> 09/26-18:09:03.858555 -> xx.xxx.x.xxx:25
> TCP TTL:49 TOS:0x0 ID:0  DF
> 21S***** Seq: 0x214F4222   Ack: 0x0   Win: 0x16D0
> TCP Options => MSS: 1460 SackOK TS: 60719014 0 NOP WS: 0
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> I know from my mail logs that this was probably nothing else than
> a mail being delivered, so it doesn't really prevent me from
> sleeping. Still, I'd like to know where these flags come from...
> or is something else triggering snort alerts and I'm too silly to
> see it??
> The strange flags could also trigger the fingerprint alert
> because - as we all know after readings Fyodor's Phrack paper
> ;o)) - the reaction towards these can be very telling.
> Hm. Anybody seen this and knows what causes it...?? I can
> reproduce it by manually making a TCP connection with every given
> protocol, so it's not smtp specific...
> TIA,
> Cheers, Jan
> --
> Radio HUNDERT,6 Medien GmbH Berlin
> - EDV -
> j.muenther at ...206...
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

More information about the Snort-users mailing list