[Snort-users] What is this alert??

Wes Young wcyoung at ...12754...
Mon Mar 21 05:49:46 EST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

it usually has to deal with one of 2 things:

A hacker is trying to evade your IDS with funky resets (I'm pretty sure
RST is resets)

Or you have a program out there that is acting up/violating protocol

not a 100% sure since i've not seen that many in real life, but
something to go off of.

I would check out the dst IP as a safety precaution, see if there is
anything wierd running on it. Or see if it has shown up in your alert
logs previously (till now).

gl

Marc Hering wrote:
| Hey All,
| I keep getting this same alert over and over and over (About 5k times
| already since Thursday)
|
| (spp_stream4) possible EVASIVE RST detection
|
| I can't seem to find any usefull info on it aside from that it is
| detecting a lot of RST requests...Is this a common alert that needs to
| be tweaked or am I looking at something more sinister?
|
| Thanks!
| <M>
|

- --
Wes Young
Network Security Analyst
University at Buffalo
GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCPtCT1M5o0FsrrbERAsD3AJ0fHenSN0fBCuOlD8q5qHB/J8MXcgCePqyT
2PK5hN81Ia2aVFTrW4CbnYM=
=g8/M
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list