Norton IDS
Results 1 to 9 of 9

Thread: Norton IDS

  1. #1
    Senior Member
    Join Date
    Dec 2002
    Posts
    144

    Norton IDS

    Details: Intrusion: Invalid IP Flags
    Intruder: 80.14.236.194
    Risk Level: Low
    Source IP address: 80.14.236.194
    Destination IP address: michael(203.125.127.251)
    Protocol: TCP.
    IP Flags and Fragment Offset: 0x00009813. This field is invalid.

    Click on the address to trace the attacker
    You can get detailed information about this attack at Symantec Security Response

    what is Invalid IP Flags?what is the threat?
    BlAcKiE
    GearBlitz

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Well, we can't really tell without the rest of the stream/datagram since those field are relative to the other packets...

    Ammo
    Credit travels up, blame travels down -- The Boss

  3. #3
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    Originally posted here by ammo
    Well, we can't really tell without the rest of the stream/datagram since those field are relative to the other packets...

    Ammo
    what could be the threat?how can this Invalid IP help in penetrating my PC?
    BlAcKiE
    GearBlitz

  4. #4
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Hum, on second look, I'm not sure what they mean with
    "IP Flags and Fragment Offset: 0x00009813"...
    Do they offer any details somewhere in th doc/help?

    Ammo
    Credit travels up, blame travels down -- The Boss

  5. #5
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    Originally posted here by ammo
    Hum, on second look, I'm not sure what they mean with
    "IP Flags and Fragment Offset: 0x00009813"...
    Do they offer any details somewhere in th doc/help?

    Ammo
    then i think norton didnt log it very well...
    BlAcKiE
    GearBlitz

  6. #6
    Senior Member
    Join Date
    Dec 2002
    Posts
    110
    Normally invalid ip flags are an illegal combination of tcp flags which are set in the 13th byte
    of the tcp header. The first two bits of the byte used to reserved but are now used for congestion management. The other 6 bits are used for your flags ie: syn/fin/ack/rst/psh/urg For example if you send a packet with the syn and fin flags set that would be an invalid flag combination.

  7. #7
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    is it a critical attack?
    BlAcKiE
    GearBlitz

  8. #8
    Senior Member
    Join Date
    Dec 2002
    Posts
    110
    Nah this is an old hack. Any ids system worth it's salt ie: Blackice amongst others will pick this
    up all the time. Only of concern if you were running services on an unprotected box.

  9. #9
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    Originally posted here by don
    Nah this is an old hack. Any ids system worth it's salt ie: Blackice amongst others will pick this
    up all the time. Only of concern if you were running services on an unprotected box.
    i wish to understand how it can compromise my system?what kind of service the unprotected box must be running?
    BlAcKiE
    GearBlitz

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •