Re: Strange TCP headers

From: Michel Arboi (arboiat_private)
Date: Sat May 11 2002 - 00:32:54 PDT

  • Next message: Benjamin Tomhave: "RE: Strange TCP headers"

     --- pbsarnacat_private a écrit : 
    > The interesting thing is that a majority of the scans are originating
    > from port 6346, which snort.org informs me is the gnutella server 
    > port.
    
    I suspect that your Pix is not decoding those packets (or fragments)
    correctly.
    If this is a new scanning technique, I hardly understand its use. Some
    kind of fingerprinting maybe? They would use the 6346 port because it
    might be unfiltered (on personal firewall at least), just like some
    people used the 20 (FTP data) port to go through stupid stateless
    filters.
    
    > All those I've verified that at least
    > two of the clients that these packets were directed to were running
    > various file-sharing clients.
    
    So I'd rather bet for 
    1. an artefact created by the Cisco
    2. some data corruption (bad phone line, deffective modem, whatever)
    3. some IP layer bug
    
    
    ___________________________________________________________
    Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
    Yahoo! Mail : http://fr.mail.yahoo.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sat May 11 2002 - 09:58:58 PDT