Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: BAD TRAFFIC data in TCP SYN packet

From: "John York" <YorkJ () brcc edu>
Date: Tue, 25 Feb 2003 13:28:21 -0500
That could be it--sounds like speedera pings or unix mtu path discovery,
etc.  I'll try to contact the originators of the packets and see if they
have F5 3-DNS.


-----Original Message-----
From: Coyle, Brian [mailto:Brian.Coyle () disney com]
Sent: Tuesday, February 25, 2003 1:12 PM
To: John York; snort-users () lists sourceforge net
Subject: RE: [Snort-users] BAD TRAFFIC data in TCP SYN packet


I've been getting a lot of alerts on this the last few days.  There
are several source IP addresses, but they are all owned by either
Nintendo of America or an ISP in NC.  They are always directed at my
public DNS server's port 53.


Might be a Foundry 3DNS load balancer.   see (esp. section 6
'Correlations'):

http://cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00123.html



                                    -- Brian Coyle, GCIA




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: