We're seeing occasional TCP traffic with FIN-RST-ACK or FIN-PSH-RST-ACK set in the header. The strange part is that it's always set for port 110 (this is in fact a legitimate POP server). The traffic is observed inside the firewall; I don't have an IDS sensor outside. Could this just be port scanning, OS fingerprinting, a broken stack, or something else? I've googled around but haven't found too much useful info, other than to see that other folks have seen similar stuff. -- Kyle Maxwell InfoSec Engineer Global Security Operations Center Verizon International Security Office - 972-929-1287 Hotline - 972-929-1290 kyle.r.maxwellat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 08 2002 - 13:52:38 PDT