Excuse a new subscriber's question, but the relevant IDS-FOCUS list yielded no results and I've been stumped nearly a week, and it was suggested that I ask here. I have an IDS (cisco IOS) on our border router that occasionally over the past few weeks has been triggering an attack signature: %IDS-4-TCP_NO_FLAGS_SIG: Sig:3040:TCP - No bits set in flags or in other words, no flag bits are set in the TCP header, which is illegal according to our kind list sponsor's website at: http://www.securityfocus.com/frames/?focus=ids&content=/focus/ids/articles/abnormal1.html in reference to "abnormal TCP packets" it includes: "Some packets have absolutely no flags set at all; these are referred to as "null" packets. It is illegal to have a packet with no flags set." Because this is an active firewall/IDS, it drops the packet and sends a reset to each end of the connection, so sendmail tries again. And yes, it is sendmail, I've sniffed it. I've seen it from sendmail versions 8.8, 8.9. and 8.10, but so far from only 3 sites in three weeks. The mail is innocent enough (except for the most recent, which was a hijacked sendmail relay trying to send spam) and if I disable the signature temporarily it does get delivered. Is there any explanation of how these packets could be legitimately sent by sendmail? I still need to move the sniffer between the border and edge router to see the "offending" packet, but at this point I'm baffled. The offending packet comes during the DATA part of the transaction, during the transmission of the RFC822 headers. Ring any bells? We get tens of thousands of mails a day from numerous sites, and why would these three be a problem? Could it be a platform-related stack issue? Jeff Kell <jeff-kellat_private>
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 21:03:52 PDT