[Snort-users] Possible network mapping?
wlmarque at ...8...
Thu Mar 1 13:12:51 EST 2001
Might be a device behind a Cisco Local Director...we've seen FIN/ACKs from
numerous sites (aol.com for example) where we'll block the packet from what
appears to be a valid web server...after contacting admins we've always found
that these servers were behind a Cisco LD. I suspect the state table in the NAT
on the Cisco device is too small and the second it FINs it drops the connection
and the web servers FIN comes a hair too late and doesn't get NATd, just gets
passed straight out.
From: Dr SuSE <drsuse at ...748...> on 03/01/2001 10:02 AM
To: Snort Users <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Possible network mapping?
Has anyone seen this type of traffic before? There never was a three way
handshake between my machine at 126.96.36.199 and 188.8.131.52 which resolves to
I'm assuming it might be a forged packet sent to solicit a response ie the tcp
reset reply from my machine.
03/01-02:04:00.491740 184.108.40.206:80 -> 220.127.116.11:1188
TCP TTL:49 TOS:0x0 ID:14034 IpLen:20 DgmLen:40 DF
***A***F Seq: 0xB0B32B46 Ack: 0x97F4B645 Win: 0x4350 TcpLen: 20
03/01-02:04:00.491891 18.104.22.168:1188 -> 22.214.171.124:80
TCP TTL:128 TOS:0x0 ID:23342 IpLen:20 DgmLen:40
*****R** Seq: 0x97F4B645 Ack: 0x97F4B645 Win: 0x0 TcpLen: 20
Microsoft ist nicht installiert.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
More information about the Snort-users