[Snort-users] (spp_stream4) STEALTH ACTIVITY (unknown) detection

Everist, Benjamin S. (NASWI) EveristB at ...8190...
Fri May 23 10:04:02 EDT 2003


Hi all - 

I have some strange alerts I am not sure what to make of.  They are all
triggered by spp stream 4, apparently because the 'r1' or 'congestion window
reduced' flag is set (that's just a guess).  They all look like this:

05/22-10:21:27.947314 0:50:73:23:59:62 -> 8:0:20:C1:6F:F5 type:0x800
len:0x3C
xxx.xxx.xxx.xxx:80 -> xxx.xxx.xxx.xxx:29791 TCP TTL:50 TOS:0x0 ID:24615
IpLen:20 DgmLen:40 DF
1**A*R** Seq: 0x0  Ack: 0x583C  Win: 0x0  TcpLen: 20

what you cant see from the -O output is the source ip is xxx.xxx.xxx.255,
apparently a broadcast address.  There are 71 alerts, and 65 unique
destination addresses.  The dest ip's are all in my $Home_Net, many are
unused, and _none_ should be surfing the web.

Any idea what the 4377 this is?   I have attached the packet capture file if
it helps.

Thanks,

Benjamin Everist



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030523/8242cfc1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.log.1051805857
Type: application/octet-stream
Size: 5420 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030523/8242cfc1/attachment.obj>


More information about the Snort-users mailing list