Security Incidents mailing list archives
RE: Strange TCP headers
From: Robert Buckley <rbuckley () synapsemail com>
Date: Fri, 10 May 2002 13:40:04 -0400
pb, < It's not like there's a standard signature... ACK FIN URG set or something. Some have two flags, some have three, some have all six, some have none. It really seems like someone is manipulating these packets. > It sure does seem that way, in fact I noticed in some of your output that the header size was 0. Now we all know thats a sure impossibility. Pix wont pass anything from a high -> low interface without a bare SYN on it 1st anyways, so we can bet its not going to get anywhere. Mirror a port and throw a sniffer there and monitor the port in question. If you find the garbage is truly garbage, and pix is reporting correctly, trace it back to the user. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange TCP headers pbsarnac (May 10)
- Re: Strange TCP headers Matt Zimmerman (May 10)
- Re: Strange TCP headers Michel Arboi (May 11)
- RE: Strange TCP headers Benjamin Tomhave (May 11)
- <Possible follow-ups>
- RE: Strange TCP headers Robert Buckley (May 10)
- RE: Strange TCP headers pbsarnac (May 10)
- RE: Strange TCP headers Robert Buckley (May 10)
- RE: Strange TCP headers Dano (May 11)