Re: CRIME Half-Open Syn

From: toby (tobyhush@private)
Date: Mon Mar 01 2004 - 22:42:46 PST

  • Next message: George Heuston: "CRIME FW: [Information_technology] Daily News 3/02/04"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    It depends on where the IDS sensor is. That doesn't sound like DoS to
    me, that sounds like someone scanning your network with a SYN-scan. Windows
    traffic is common everywhere since Windows OS leak information continuously.
    If you are finding yourself responsible for performing intrusion analysis,
     I'd strongly suggest you attend the SANS GCIA training as you would
    absolutely find answers to these questions in their material.
    
    t
    
    On Mon, 01 Mar 2004 16:26:16 -0800 "Buelna, Derek" <derek.buelna@private>
    wrote:
    >I'm curious if any of you commonly see IDS events related to a half-
    
    >open syn connections?
    >The description of the signature I'm hitting is as follows: Triggers
    >when multiple TCP sessions have been improperly initiated on any
    >of several well known service ports. Detection of this signature
    >is currently limited to FTP, Telnet, WWW, SSH and E-mail servers
    >(TCP ports 21, 23, 80, 22 and 25 respectively). This is indicative
    >that a denial of service attack against your network may be in progress.
    >>
    >I seem to be seeing alot of windows stuff as tcp dst ports 445 and
    >139 show up alot. I also see tcp dst port 25, smtp.
    >Your feedback would be appreciated,
    >
    >Derek A. Buelna, CISSP, CCIE
    >Information Security
    >XEROX Office Group
    >
    >
    
    "I have gone to great lengths to expand my threshold of pain"
    - -Tool
    -----BEGIN PGP SIGNATURE-----
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 2.3
    
    wkYEARECAAYFAkBELcgACgkQgmQPhCwzFyAm9gCgva6vmKR52+TdL7Ep4TnJvhpCnf0A
    n13DnTMvg98UWrmR5zUUOLuqOz6C
    =8c3Y
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Mon Mar 01 2004 - 23:18:41 PST