CRIME Half-Open Syn

From: Buelna, Derek (derek.buelna@private)
Date: Mon Mar 01 2004 - 16:26:16 PST

  • Next message: Jason Chan: "RE: CRIME Half-Open Syn"

    I'm curious if any of you commonly see IDS events related to a half-open syn connections? 
    The description of the signature I'm hitting is as follows: Triggers when multiple TCP sessions have been improperly initiated on any of several well known service ports. Detection of this signature is currently limited to FTP, Telnet, WWW, SSH and E-mail servers (TCP ports 21, 23, 80, 22 and 25 respectively). This is indicative that a denial of service attack against your network may be in progress. 
    I seem to be seeing alot of windows stuff as tcp dst ports 445 and 139 show up alot. I also see tcp dst port 25, smtp.
    Your feedback would be appreciated,
    
    Derek A. Buelna, CISSP, CCIE
    Information Security
    XEROX Office Group
    



    This archive was generated by hypermail 2b30 : Mon Mar 01 2004 - 17:10:30 PST