[Snort-users] RST vs RST|ACK

Ian Melven imelven at ...3837...
Thu Nov 1 11:58:14 EST 2001


Hi everyone

A question on portscans..  I've been scanned for SubSeven
a few times.. I set up a rule to track outgoing packets
from the default port (27374) with the ACK flag set..

this caught 2 machines sending RST|ACK packets in response
to a SYN... 

Can someone explain why these are sending RST|ACK instead
of just a RST ? I thought RST was the standard response to a 
SYN from a closed port ? Is this because the initial incoming
SYN had some data in it (I believe this is allowed...)

I need to get an office copy of TCP/IP Illustrated :/

thanks ! 
Ian




More information about the Snort-users mailing list