[Snort-users] Possible network mapping?

Bill Marquette wlmarque at ...8...
Thu Mar 1 13:12:51 EST 2001

Might be a device behind a Cisco Local Director...we've seen FIN/ACKs from
numerous sites (aol.com for example) where we'll block the packet from what
appears to be a valid web server...after contacting admins we've always found
that these servers were behind a Cisco LD.  I suspect the state table in the NAT
on the Cisco device is too small and the second it FINs it drops the connection
and the web servers FIN comes a hair too late and doesn't get NATd, just gets
passed straight out.


From: Dr SuSE <drsuse at ...748...> on 03/01/2001 10:02 AM

To:   Snort Users <snort-users at lists.sourceforge.net>
Subject:  [Snort-users] Possible network mapping?

Has anyone seen this type of traffic before?  There never was a three way
handshake between my machine at and which resolves to
I'm assuming it might be a forged packet sent to solicit a response ie the tcp
reset reply from my machine.

03/01-02:04:00.491740 ->
TCP TTL:49 TOS:0x0 ID:14034 IpLen:20 DgmLen:40 DF
***A***F Seq: 0xB0B32B46  Ack: 0x97F4B645  Win: 0x4350  TcpLen: 20


03/01-02:04:00.491891 ->
TCP TTL:128 TOS:0x0 ID:23342 IpLen:20 DgmLen:40
*****R** Seq: 0x97F4B645  Ack: 0x97F4B645  Win: 0x0  TcpLen: 20


Microsoft ist nicht installiert.

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:

More information about the Snort-users mailing list