At 11:40 PM 5/2/01, Patrick Cheong Shu Yang wrote: >I have also seen the same potential intrusion from our Snort logs as >follows:- > >11:05:18.603917 255.255.255.255.31337 > xxx.xxx.xxx.xx.515: R 0:3(3) ack >0 win 0 >0x0000 4500 002b 0000 0000 0e06 1900 ffff ffff E..+............ >0x0010 cab9 c914 7a69 0203 0000 0000 0000 0000 ....zi.......... >0x0020 5014 0000 cd27 0000 636b 6f00 0000 P....'..cko... > >Anyone else seen this and can anyone explain what this is?!?! I've seen one per day over the past week. Same elite source port. About 20 packets over an eight hour period (as if it's trying to evade detection). It's way too slow to be a DOS attack and any responses from a listening lpr would never get back to the spoofer. I have no explanation for it. -- Joe
This archive was generated by hypermail 2b30 : Fri May 04 2001 - 07:32:02 PDT