Snort mailing list archives
RE: Too many stealth alerts
From: "Estes, Matt CPR / FCBS" <Matt.Estes () eis army mil>
Date: Mon, 15 Apr 2002 17:13:02 -0400
Great, thanks Erek. Just wanted another opinion before my eyes gloss over once again at another non-standard MS machine causing false alarms (like that ever happens). Matt
-----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Monday, April 15, 2002 3:28 PM To: Estes, Matt CPR / FCBS Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Too many stealth alerts On Mon, 15 Apr 2002, Estes, Matt CPR / FCBS wrote:I routinely(!) get "Stealth" packets from talkativeExchange servers... isthis ok? Why would a machine possible have null flags orevery flag set ina TCP packet. Hardware problems?Yep. Running a MS OS on it. ;-) MS has a nasty habit of not following RFC's. Due to that in many ways the TCP/IP stack of some boxes seems 'broken', since it's not all quite standard. But you're right.... That's not the way it should be. Something is off somewhere. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Too many stealth alerts Estes, Matt CPR / FCBS (Apr 15)
- Re: Too many stealth alerts Erek Adams (Apr 15)
- <Possible follow-ups>
- RE: Too many stealth alerts Estes, Matt CPR / FCBS (Apr 15)