[Snort-users] Re: [Snort-sigs] bad traffic in syn packet

--=-JqTJv8TZ4zxM8+gRmbTc
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Tue, 2005-09-06 at 09:10 -0400, John Hally wrote:
> Need a quick sanity check here. I'm seeing alerts for traffic in syn
> packets, and all are destined for TCP/53. Is it possible that data is
> being piggy-backed in the syn packet on purpose and the traffic is
> benign? I don't see any other anomalies to or from these hosts, but
> wanted to make sure that I'm not overlooking something obvious.

Heya John,

what is the data in question? Anything identifiable? If not, these could
be probes from load-balancers. Perhaps you can see a pattern by src or
dst?

Cheers,
Frank

--=20
Ciscogate: Shame on Cisco. Double-Shame on ISS.

--=-JqTJv8TZ4zxM8+gRmbTc
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQBDHy6qwBQKb2zelzoRAqVSAKC96PL9kP9gTlopMLJk6Y rR0PuUbwCgjJUh
TnNXxx6Bw8UHoxCjWsAjSoM=
=cTIG
-----END PGP SIGNATURE-----

--=-JqTJv8TZ4zxM8+gRmbTc--



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users