[Snort-users] NOACK ****PR**

Phil Wood cpw at ...440...
Tue Jun 19 19:14:13 EDT 2001


Folks,

I see:

  NOACK ****PR**

generated by the portscan preprocessor based on a packet from an IBM system:

220 xxx.yyy.edu running IBM MVS SMTP CS V2R7 on Tue, 19 Jun 01 15:45:52 PST

Does anyone know if this is just the way IBM implimented the TCP protocol.

I can kind of hear a conversation in the bullpen:

  "Hey, how do you suppose we are supposed to reject an incoming tcp
   connection?"

  "Oh, just push out a reset."

And so it goes.

Thanks,

Phil





More information about the Snort-users mailing list