File: 1431.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (61 lines) | stat: -rw-r--r-- 1,067 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Rule:

--
Sid: 1431

--
Summary:
This event is generated when packets with the SYN flag set are sent to 
multicast addresses.

--
Impact:
Possible reconnaisance or evidence of a Denial of Service (DoS) attack.

--
Detailed Information:
Under normal circumstances packets with the SYN flag set should not be 
sent to multicast addresses.

If the attacker has spoofed a multicast address when sending a SYN flood
attack this traffic will be seen.

an indicator of unauthorized network use, reconnaisance activity or 
system compromise. These rules may also generate an event due to 
improperly configured network devices.

--
Affected Systems:
	Any

--
Attack Scenarios:
The attacker may have intiated an attack and could have spoofed a 
multicast address as the source.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Employ filtering at the firewall.

--
Contributors:
Original rule writer unknown
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--