RE: Suspect short first fragment?

From: Ralph Los (RLosat_private)
Date: Thu Feb 28 2002 - 10:28:22 PST

  • Next message: Boyan Krosnov: "RE: Suspect short first fragment?" 

    Fragmented port-0 (nmap) scan, with fragmentation enabled??  Just a thought.

----------------------------------------|
Ralph M. Los
Sr. Security Consultant and Trainer
          EnterEdge Technology, L.L.C.
          rlosat_private
          (770) 955-9899 x.206
----------------------------------------| 

::-----Original Message-----
::From: jamie@jamie-sue.org [mailto:jamie@jamie-sue.org] 
::Sent: Thursday, February 28, 2002 12:57 PM
::To: incidentsat_private
::Subject: Suspect short first fragment?
::
::
::
::
::I got several of these messages in my syslogd logs - 
::I'm using Redhat 7.1 
::              
::             any idea?  Is this an attack? 
::              
::             Suspect short first fragment.  
::             eth0 PROTO=17 212.15.64.83:0 
::200.186.111.146:0 L=20 S=0x00 I=40960 F=0x4000 
::T=116 
::             (#0)  
::
::--------------------------------------------------------------
::--------------
::This list is provided by the SecurityFocus ARIS analyzer 
::service. For more information on this free incident handling, 
::management 
::and tracking system please see: http://aris.securityfocus.com
::
::


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 12:01:59 PST