[Snort-users] Scan dedected as WEB-MISC whisker tab splice attack

Darrin Powell dpowell at ...2288...
Wed Jun 4 15:02:07 EDT 2003


I received the following alert today listed as WEB-MISC whisker tab
splice attack

Generated by ACID v0.9.6b22 on Wed,  4 Jun 2003 17:54:55 -0400

------------------------------------------------------------------------------
#(2 - 241960) [2003-06-04 13:27:01] url[arachnids/415] [snort/1087] 
WEB-MISC whisker tab splice attack
IPv4: 64.12.29.109 -> 208.62.207.125
      hlen=5 TOS=0 dlen=41 ID=55195 flags=0 offset=0 TTL=106
chksum=15358
TCP:  port=5190 -> dport: 2476  flags=***A**** seq=1116286872
      ack=2252820826 off=5 res=0 win=16384 urp=0 chksum=489
Payload:  length = 1

000 : 09                                 

I am blocking and logging port 2476 with an iptables firewall, and
couldn't find anything in my firewall logs. Has anyone seen this? Can
someone tell me how snort saw this packet, but it never actually made it
to my firewall?


Thanks
-- 
Darrin Powell
LSSi Corp
(919) 466-6803
www.lssi.net/~dpowell





More information about the Snort-users mailing list