IDS mailing list archives
RE: BARE BYTE UNICODE ENCODING
From: Omar Herrera <oherrera () prodigy net mx>
Date: Tue, 01 Jun 2004 21:57:21 -0600
Annie, Any alert that checks for patterns at application level will trigger with ACK packets. SYN packets are only used to initiate the connection (three-way-handshake) and therefore have no application payload. ACK packets carry payload (HTTP in this case) and are used to exchange data over TCP (ACK+PSH packets are also common). There should have been a SYN packet at the beginning, but your IDS will not trigger on it unless it had some type of irregularity. Regards, Omar
What does it mean if the packet that trigger this alert is the TCP
"ACK"
packet. When I traced back, I couldn't find the "SYN" packet. Is
this
always the case that any packet that cause "BARE BYTE UNICODE
ENCODING"
is the ACK packet? Regards, Annie
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- BARE BYTE UNICODE ENCODING Annie Green (Jun 01)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)
- Network Traffic Flow learning and Simulation Mayank-Bhatnagar (Jun 18)
- RE: BARE BYTE UNICODE ENCODING Omar Herrera (Jun 02)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 04)
- Re: BARE BYTE UNICODE ENCODING Martin Roesch (Jun 07)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 07)
- RE: BARE BYTE UNICODE ENCODING Omar Herrera (Jun 07)
- Re: BARE BYTE UNICODE ENCODING Nigel Houghton (Jun 08)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 04)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)
- <Possible follow-ups>
- Re: BARE BYTE UNICODE ENCODING Annie Green (Jun 02)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)