Re: Strange sendmail IDS triggers

From: Jeff Kell (jeff-kellat_private)
Date: Thu Apr 19 2001 - 17:04:38 PDT

  • Next message: Randy Johnson: "Re: Increase in Sun RPC Scans"

    After further examination and re-plumbing our cabling to the edge router
    to allow me to sniff packets "pre-IDS/firewall", I strongly suspect this
    is a bug in Cisco's IOS FW/IDS feature set.
    
    In each of the three cases of "no flags set in TCP header" the sendmail
    session was doing fine until after the DATA part of the SMTP
    session.  The next packet was fragmented (slightly .. about 14 bytes
    overflow from standard MTU).  The following trailing fragment of course
    had no TCP header, just IP, and was padded with zeroes to fit the
    minimum 64-byte packet size, followed by the checksum.
    
    If the packet were "blindly" decoded as if it was not a fragment, the
    offset of the normal TCP flags field within the packet fell into the
    zero-padded part of the payload.  So no, no flags in that "header".
    
    I have a case open with them to confirm my suspicions, but the packet
    trace looks innocent enough to me.
    
    Sorry for the (probably) false alarm.
    
    Jeff Kell <jeff-kellat_private>
    Systems/Network Administrator
    



    This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 10:41:37 PDT