-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It depends on where the IDS sensor is. That doesn't sound like DoS to me, that sounds like someone scanning your network with a SYN-scan. Windows traffic is common everywhere since Windows OS leak information continuously. If you are finding yourself responsible for performing intrusion analysis, I'd strongly suggest you attend the SANS GCIA training as you would absolutely find answers to these questions in their material. t On Mon, 01 Mar 2004 16:26:16 -0800 "Buelna, Derek" <derek.buelna@private> wrote: >I'm curious if any of you commonly see IDS events related to a half- >open syn connections? >The description of the signature I'm hitting is as follows: Triggers >when multiple TCP sessions have been improperly initiated on any >of several well known service ports. Detection of this signature >is currently limited to FTP, Telnet, WWW, SSH and E-mail servers >(TCP ports 21, 23, 80, 22 and 25 respectively). This is indicative >that a denial of service attack against your network may be in progress. >> >I seem to be seeing alot of windows stuff as tcp dst ports 445 and >139 show up alot. I also see tcp dst port 25, smtp. >Your feedback would be appreciated, > >Derek A. Buelna, CISSP, CCIE >Information Security >XEROX Office Group > > "I have gone to great lengths to expand my threshold of pain" - -Tool -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAkBELcgACgkQgmQPhCwzFyAm9gCgva6vmKR52+TdL7Ep4TnJvhpCnf0A n13DnTMvg98UWrmR5zUUOLuqOz6C =8c3Y -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Mar 01 2004 - 23:18:41 PST