On Mon, Jul 08, 2002 at 03:22:21PM -0500, kyle.r.maxwellat_private wrote: > We're seeing occasional TCP traffic with FIN-RST-ACK or FIN-PSH-RST-ACK set > in the header. The strange part is that it's always set for port 110 (this > is in fact a legitimate POP server). The traffic is observed inside the > firewall; I don't have an IDS sensor outside. > > Could this just be port scanning, Yes, but probably no. > OS fingerprinting, Yes, but probably no. > a broken stack, Yes. > or something else? Yes. > I've googled around but haven't found too much useful info, > other than to see that other folks have seen similar stuff. I think the interesting thing to note is that the RST-flag is set. It is extremely rare to see a RST in a hostile packet since it takes a _really_ broken stack to ever respond to a TCP packet with the RST set. If these come with any frequency, it would be interesting to do a packet capture and see exactly what goes on before and after these fly by. -- Crist J. Clark | cjclarkat_private | cjclarkat_private http://people.freebsd.org/~cjc/ | cjcat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 09:57:31 PDT