>Derek wrote: > > I'm curious if any of you commonly see IDS events related to > a half-open syn connections? > The description of the signature I'm hitting is as follows: > Triggers when multiple TCP sessions have been improperly > initiated on any of several well known service ports. > Detection of this signature is currently limited to FTP, > Telnet, WWW, SSH and E-mail servers (TCP ports 21, 23, 80, 22 > and 25 respectively). This is indicative that a denial of > service attack against your network may be in progress. > I seem to be seeing alot of windows stuff as tcp dst ports > 445 and 139 show up alot. I also see tcp dst port 25, smtp. > Your feedback would be appreciated, RE: DoS, the number of SYN's would have to be pretty high. Otherwise, I would peg this as a simple SYN scan (i.e. via nmap, paketto, or other port scanner). What does the 'improperly initiated' refer to, just that it's half-open? Jason
This archive was generated by hypermail 2b30 : Mon Mar 01 2004 - 17:51:50 PST