Snort mailing list archives
Re: Strange Alerts
From: Neil Dickey <neil () geol niu edu>
Date: Wed, 23 Apr 2003 10:31:11 -0500 (CDT)
Brett.Gillett () tsx com wrote asking:
I have a question regarding alerts that we started to receive once we upgraded to Snort 2.0, it seems that all of our sensors started generating T/TCP Detected alerts
T/TCP stands for "Transaction TCP", and is a way of dispensing with the customary three-way handshake used to initiate a TCP exchange over the network. Do a Google on "t/tcp" and you'll find out lots about it, but here's a link to get started: http://ttcplinux.sourceforge.net/ I grepped the source IP in my webserver logs and have so far found that these packets are commonly associated with "normal" sessions involving Microsoft IE clients. Are you hosting any websites? Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange Alerts Brett . Gillett (Apr 23)
- <Possible follow-ups>
- Re: Strange Alerts Neil Dickey (Apr 23)
- Re: Strange Alerts Artur Bittencourt (Apr 23)
- Re: Strange Alerts Erek Adams (Apr 23)
- Re: Strange Alerts David Alonso De La Vega Tapage (Apr 23)
- Re: Strange Alerts Artur Bittencourt (Apr 23)
- Re: Strange Alerts Neil Dickey (Apr 23)
- Re: Strange Alerts Brett . Gillett (Apr 23)
- RE: Strange Alerts Allen, Garrett (Apr 23)
- Re: Strange Alerts Brett . Gillett (Apr 23)