TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
The value 21 is the value of the TCP flags. 21 == 0x15 as a number
value of the flag bits.
Essentially 21 is FIN, RST, ACK all set on a packet. On the surface
it looks like a variation of a Xmas tree scan that something like the
nmap tool might be used to do.
Pat Becker
Sr. Researcher/X-Force
[EMAIL PROTECTED]
- -----Original Message-----
From: Anderson, Mark H. [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 06, 2000 2:17 PM
To: '[EMAIL PROTECTED]'
Subject: Question about RealSecure IPProtocolViolation Event
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your
message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
- ----------------------------------------------------------------------
- ------
Hello all,
I have been monitoring this list silently for a while now, and want
all to
know that I have learned a lot from those who post here. I recently
posted
a question to this list, but I was remiss to introduce myself...my
apologies. I am a security administrator for a fairly large company
and
responsible for managing our intrusion detection systems. I have
RealSecure
3.2.1 (recently upgraded to 3.2.2)implemented on NT platforms.
The question I have for the experts on this board is this: I
currently have
a RS network sensor monitoring our DMZ and I discovered a
"IPProtocolViolation" event that I need help to decipher.
Particulars are
as follows:
Source Addr: 205.x.x.x (Internet)
Dest Addr: 10.x.x.x (a mail gateway server located on the same DMZ
as the
sensor)
Protocol: TCP
Source Port: 44822
Dest Port: email
RealSecure identifies the reason as a "unusual TCP flag combination"
with a
value of 21. Can anyone help me to understand the meaning of what I
am
seeing? I do not understand what the "value 21" means. I have run a
number
of reports and I can't find any other related events that would
indicate an
attack from the same IP range of the source. Any help in answering
this
puzzling question would be highly appreciated.
Mark H. Anderson
Security Specialist
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQCVAwUBOWWrNbC0aGNAqc2xAQEFMQQAuM6ZmVSoo0VFhQcUTcxE8rod0YRGjbWn
RfxeDeAhHtuxMJcZISwLgkxqhCCnfA5x3j3CzLVxokk25A58zqIzMT0DxX29HLPC
DMSkN0kvVNfYs21SRySfCs6SA4qcfCoOFIN1jZWg8iGNZxDrOKiJuPYKcvYnozS8
roBJxMyhsbY=
=QZ3r
-----END PGP SIGNATURE-----
