On Thursday 29 November 2001 01:27 pm, Martin Smith wrote: > I'm running Snort 8 and have been seeing ALOT of this type of attack > aignatures. It looks like a false positive, but I'm not sure. > > > [**] [1:526:3] BAD TRAFFIC data in TCP SYN packet [**] > [Classification: Misc activity] [Priority: 3] > 11/28-08:02:09.593643 216.25.228.229:2200-> 208.160.110.28:53 > TCP TTL:240 TOS:0x0 ID:35423 IpLen:20 DgmLen:64 > ******S* Seq: 0x1E000853 Ack: 0x0 Win: 0x800 TcpLen: 20 > > Thanks for your help, > > Marty > > P.S What are ipchains???? it's prolly a false positive but you didn't provide enough information, first which of those is your machine? and is the other machine your dns server? if so, it's likely traffic caused by any dns lookups you do, but it shouldn't trigger any bad traffic rules(or should it?, the rule does seem pretty vague) . to get around the error you can add your dns servers to the ignorehosts option somewhere in the snort.conf file.
ipchains is a tool used to modify the firewall rules for the linux 2.2 kernel, iptables is the tool used for the 2.4 kernel