[Snort-users] RST vs RST|ACK
imelven at ...3837...
Thu Nov 1 11:58:14 EST 2001
A question on portscans.. I've been scanned for SubSeven
a few times.. I set up a rule to track outgoing packets
from the default port (27374) with the ACK flag set..
this caught 2 machines sending RST|ACK packets in response
to a SYN...
Can someone explain why these are sending RST|ACK instead
of just a RST ? I thought RST was the standard response to a
SYN from a closed port ? Is this because the initial incoming
SYN had some data in it (I believe this is allowed...)
I need to get an office copy of TCP/IP Illustrated :/
More information about the Snort-users