Rule: -- Sid: 1431 -- Summary: This event is generated when packets with the SYN flag set are sent to multicast addresses. -- Impact: Possible reconnaisance or evidence of a Denial of Service (DoS) attack. -- Detailed Information: Under normal circumstances packets with the SYN flag set should not be sent to multicast addresses. If the attacker has spoofed a multicast address when sending a SYN flood attack this traffic will be seen. an indicator of unauthorized network use, reconnaisance activity or system compromise. These rules may also generate an event due to improperly configured network devices. -- Affected Systems: Any -- Attack Scenarios: The attacker may have intiated an attack and could have spoofed a multicast address as the source. -- Ease of Attack: Simple -- False Positives: None Known -- False Negatives: None Known -- Corrective Action: Employ filtering at the firewall. -- Contributors: Original rule writer unknown Sourcefire Research Team Nigel Houghton -- Additional References: --