[Snort-users] Re: bad traffic in syn packet

Brian Coyle brian at ...8398...
Mon Sep 19 09:03:13 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[snort-sigs dropped from reply as it's OT for that list]

On Tuesday 06 September 2005 09:10, John Hally wrote:

> Need a quick sanity check here.  I'm seeing alerts for traffic in syn
> packets, and all are destined for TCP/53.  Is it possible that data is
> being piggy-backed in the syn packet on purpose and the traffic is benign? 
> I don't see any other anomalies to or from these hosts, but wanted to make
> sure that I'm not overlooking something obvious.

Take a look at this analysis and see if it matches your traffic-
http://cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00123.html


- -- 
Redundancy?  You can say that again!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Brian Coyle, GCIA                http://www.giac.org/GCIA.php

iD8DBQFDHkK6ER3MuHUncBsRAvJJAJ9eCoWfj2drGVTA36QzSC8GTsfMaQCggLXT
6UyDHARlgD3RIS/UK2Q47Uk=
=KqNH
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list