Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Scan dedected as WEB-MISC whisker tab splice attack

From: Darrin Powell <dpowell () lssi net>
Date: 04 Jun 2003 18:01:00 -0400
I received the following alert today listed as WEB-MISC whisker tab
splice attack

Generated by ACID v0.9.6b22 on Wed,  4 Jun 2003 17:54:55 -0400

------------------------------------------------------------------------------
#(2 - 241960) [2003-06-04 13:27:01] url[arachnids/415] [snort/1087] 
WEB-MISC whisker tab splice attack
IPv4: 64.12.29.109 -> 208.62.207.125
      hlen=5 TOS=0 dlen=41 ID=55195 flags=0 offset=0 TTL=106
chksum=15358
TCP:  port=5190 -> dport: 2476  flags=***A**** seq=1116286872
      ack=2252820826 off=5 res=0 win=16384 urp=0 chksum=489
Payload:  length = 1

000 : 09                                 

I am blocking and logging port 2476 with an iptables firewall, and
couldn't find anything in my firewall logs. Has anyone seen this? Can
someone tell me how snort saw this packet, but it never actually made it
to my firewall?


Thanks
-- 
Darrin Powell
LSSi Corp
(919) 466-6803
www.lssi.net/~dpowell



-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: