TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Hello all,
I have been monitoring this list silently for a while now, and want all to
know that I have learned a lot from those who post here. I recently posted
a question to this list, but I was remiss to introduce myself...my
apologies. I am a security administrator for a fairly large company and
responsible for managing our intrusion detection systems. I have RealSecure
3.2.1 (recently upgraded to 3.2.2)implemented on NT platforms.
The question I have for the experts on this board is this: I currently have
a RS network sensor monitoring our DMZ and I discovered a
"IPProtocolViolation" event that I need help to decipher. Particulars are
as follows:
Source Addr: 205.x.x.x (Internet)
Dest Addr: 10.x.x.x (a mail gateway server located on the same DMZ as the
sensor)
Protocol: TCP
Source Port: 44822
Dest Port: email
RealSecure identifies the reason as a "unusual TCP flag combination" with a
value of 21. Can anyone help me to understand the meaning of what I am
seeing? I do not understand what the "value 21" means. I have run a number
of reports and I can't find any other related events that would indicate an
attack from the same IP range of the source. Any help in answering this
puzzling question would be highly appreciated.
Mark H. Anderson
Security Specialist
