526.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid: 526

--
Summary:
This event is generated when SYN packets contain data greater than what 
is normally expected.

--
Impact:
Possible Denial of Service attack (DoS) or IDS evasion.

--
Detailed Information:
Under normal circumstances TCP SYN packets are exchanged between hosts 
to synchronize the TCP sequence numbers in a transaction. A SYN packet 
with a datagram size larger than 6 bytes may be an indication of a 
Denial of Service attack or an attempt to evade IDS.

an indicator of unauthorized network use, reconnaisance activity or 
system compromise. These rules may also generate an event due to 
improperly configured network devices.

--
Affected Systems:
	Any

--
Attack Scenarios:
The attacker would need to send specially crafted packets with the SYN 
flag set with a datagram size larger than 6 bytes. This may be achieved 
using a script or tool.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:


--
Contributors:
Original rule writer unknown
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

CERT:
http://www.cert.org/incident_notes/IN-99-07.html

--