Security Incidents mailing list archives
[Snort-users] bad IP traffic
From: NC Agent <NC_Agent () kueppers-familie de>
Date: Fri, 20 Jun 2003 18:01:28 +0200
My company NIDS - i.e. snort 2.0 - is triggering since three/four days a lot of "BAD-TRAFFIC bad frag bits" alerts. These come out when a TCP packet has both fragment and don't_fragment bit on. Target of these alerts is almost always the IP address of a particular Web Server (one of our server farm). Other alerts are triggered on this target, some are common ones such as Apache worm for Apache old version but this is a usual maltraffic, but other ones are of type "bad TCP/IP traffic", such as anomalous TTL values for packets. It seems to me this could be a scan/gathering info technique, is it correct? can this be a False Positive ? Can this be something more dangerous? Any help will be very appreciated, Cheers, Max ============================================================== Lines below are "the price to pay" for a free service of a commercial ISP ============================================================== -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Viaggiare in aereo spendendo poco non è un sogno perchè Sterling fa dei tuoi sogni realtà, clicca subito Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=1227&d=11-6 ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Snort-users] bad IP traffic Willi Web (Jun 20)
- <Possible follow-ups>
- [Snort-users] bad IP traffic NC Agent (Jun 20)
- [Snort-users] bad IP traffic Willi Web (Jun 20)