Evasive RST's

[JSeddon () semtech com]

My second highest source of alerts is EVASIVE RST:  They all look something
like this:

spp_stream4: EVASIVE RST detection [**]
  08/02-21:59:59.323103 a.b.c.d:443 -> d.e.f.g:53366
  TCP TTL:235 TOS:0x0 ID:61358 IpLen:20 DgmLen:40 DF
  *****R** Seq: 0x6D751BAC Ack: 0x0 Win: 0x2238 TcpLen: 20 [Snort log]

It is always coming from port 443 (with a couple of exceptions on port 80).
The src addresses seem to be web sites that we would expect and approve our
employees to visit.  That's why I think they are probably false alarms.

I've been trying to look up what this pre-processor is trying to detect and
haven't been able to find it.  Sorry if I've missed it....I've seen some
posts in old mail archives but haven't gotten a clear answer to:

What is stream4 tripping on?  What is an evasive reset?  What kind of
attack uses this that stream4 wants to tell you about?  What makes an
EVASIVE RST different from a legit RST?

Thanks!

James


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users