Snort mailing list archives
Acid TCP options
From: "Selder, Patrick [NCSBE - Non JJ]" <PSELDER () ncsbe jnj com>
Date: Tue, 31 Jul 2001 08:34:07 +0200
I have found a few alerts that look weird in my eyes. Maybe someone can clear the mist for me. The alert is triggerd for connecting to the ftp service. Normal the TCP flags are r1=X r0=X syn=X seq=..... offset 10, this is blocked and logged from the firewall. Now i'm getting a connection attempt to port 21 with the following TCP flags r1= r0= syn=x seq=..... offset 7, but no blocking rules from the firewall. Did the packet go thru? I have no ftp-service running though. Or could it be a false positive? My simple snort rule is: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: FTP connection attempt";flags: S+; classtype:bad-unknown;) Is this rule correct for this? Can someone explain the TCP flags r1, r0,urg and psh? Thanks and best regards, Patrick Selder e-Business Operations Team Networking & Computing Services Johnson & Johnson tel. +32-14-606438
Current thread:
- Acid TCP options Selder, Patrick [NCSBE - Non JJ] (Jul 30)