[Snort-users] Re: [Snort-sigs] bad traffic in syn packet

Frank Knobbe frank at ...9761...
Wed Sep 7 11:19:29 EDT 2005


On Tue, 2005-09-06 at 09:10 -0400, John Hally wrote:
> Need a quick sanity check here.  I'm seeing alerts for traffic in syn
> packets, and all are destined for TCP/53.  Is it possible that data is
> being piggy-backed in the syn packet on purpose and the traffic is
> benign?  I don't see any other anomalies to or from these hosts, but
> wanted to make sure that I'm not overlooking something obvious.

Heya John,

what is the data in question? Anything identifiable? If not, these could
be probes from load-balancers. Perhaps you can see a pattern by src or
dst?

Cheers,
Frank

-- 
Ciscogate: Shame on Cisco. Double-Shame on ISS.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050907/6ae4bb08/attachment.sig>


More information about the Snort-users mailing list