Uuh... basic question I'm sure but what do you mean by a "signature based alert"?
-----Original Message----- From: neopara [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 12:32 AM To: security-basics Subject: Re: TCP Syn Flooding On Sat, 2003-02-15 at 08:20, Tim Laureska wrote: > OK. I just installed a Netgear firewall box between a cable modem and a > NT 4.0 server on a small network.. and set it up to email me attempts at > security breaches. I am brand new to these devices and a relative > neophyte to internet/internal network security. So the question is > this. > > I received this message a few times yesterday after I installed the box: > > > Fri, 02/14/2003 20:35:01 - TCP connection dropped - > Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN - > 'TCP:Syn Flooding' End of Log ---------- > > What should I make of this? > > T. > > > It could also be a false positive? IDSes are kinda sensitive to syn flood signatures. I am guesses your firewall is just dropping the syn packet, so an application could be repeatedly trying to establish a connection which is triggering that signature. It would help to know if there is an legitimate application that hits port 20306. P.S. You should take signature based alerts with a grain of salt. Pawel Sliwowski Nothing More, For Me to Say, About my life, A Life of Dreams....
