TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Mark,
I have seen similar alerts from RealSecure implementations in the past I am
not certain of the answer but perhaps this will help you get there.
I am working on the assumption that the TCP Flags that RealSecure is
describing are the TCP Options and the number reported is the decimal value
of these flags [1] therefore 21 is 010101
|U|A|P|R|S|F|
|R|C|S|S|Y|I|
|G|K|H|T|N|N|
-------------
|0|1|0|1|0|1|
so that is ACK, RST and FIN - which is a rather odd combination. But not
unique to you - it gets name checked in this article
http://www.nlanr.net/NA/Learn/mice.html as PC TCP although I couldn't track
it down further than that. For those of you who don't know TCP options this
is a combination of the normal "polite" end to a TCP connection ACK/FIN with
the "Something horrible has occured - stop everything" RST which could be
seen as a rather mixed message.
If you are seeing the same IP address at the remote end causing the alarms
then I'd recommend tcpdump/snooping for that address until you can get a
whole trace of the connection so that you can see what is causing this or
contact the remote end - You might want to also check your mail logs to see
if mail is coming from that host or if you are getting port 25 connections
to your mail server without mail being delivered.
The closest match in arachNIDS (http://dev.whitehats.com/ids/ids.html) is a
full XMAS scan that doesn't seem to be what you are seeing so it doesn't
seem to match any known exploit code so you've either a false alarm or a new
detect.
My feeling would be that you have found a class of TCP/IP implementations in
someone sending you mail with some rather painful errors and that it isn't
an attack - but you should never discount the unknown - at the very least
you have a apparently unpublished passive fingerprint
(http://www.enteract.com/~lspitz/finger.html)
Hope this helps and let us know if you get to the bottom of it,
Stephen.
[1] I have no evidence of this other that common sense - I'd welcome
confirmation from anyone (ISS?) who knows for sure.
-----Original Message-----
From: Anderson, Mark H. [mailto:[EMAIL PROTECTED]]
Sent: 06 July 2000 19:17
To: '[EMAIL PROTECTED]'
Subject: Question about RealSecure IPProtocolViolation Event
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Hello all,
I have been monitoring this list silently for a while now, and want all to
know that I have learned a lot from those who post here. I recently posted
a question to this list, but I was remiss to introduce myself...my
apologies. I am a security administrator for a fairly large company and
responsible for managing our intrusion detection systems. I have RealSecure
3.2.1 (recently upgraded to 3.2.2)implemented on NT platforms.
The question I have for the experts on this board is this: I currently have
a RS network sensor monitoring our DMZ and I discovered a
"IPProtocolViolation" event that I need help to decipher. Particulars are
as follows:
Source Addr: 205.x.x.x (Internet)
Dest Addr: 10.x.x.x (a mail gateway server located on the same DMZ as the
sensor)
Protocol: TCP
Source Port: 44822
Dest Port: email
RealSecure identifies the reason as a "unusual TCP flag combination" with a
value of 21. Can anyone help me to understand the meaning of what I am
seeing? I do not understand what the "value 21" means. I have run a number
of reports and I can't find any other related events that would indicate an
attack from the same IP range of the source. Any help in answering this
puzzling question would be highly appreciated.
Mark H. Anderson
Security Specialist
----------------------------------------------------------------------
The information contained in this e-mail is confidential and solely for the intended
addressee(s). Unauthorised reproduction, disclosure, modification, and/or distribution
of this email may be unlawful. If you have received this email in error, please notify
the sender immediately and delete it from your system. The views expressed in this
message do not necessarily reflect those of LIFFE (Holdings) Plc or any of its
subsidiary companies.
----------------------------------------------------------------------
