detecting syn-ack

Carter Bullard carter at qosient.com
Wed Jul 14 15:48:01 EDT 2010 

Hey Riccardo,
You can specify these types of filters to get records that have specific tcp flag settings:
   ra -r file - syn and not ack
   ra -r file - src syn and dst ack
   ra -r file - src push and dst urg

the keyword synack, is a special case argus status indication that matches when the
source sent the syn, and the destination sent an ack.

Carter

On Jul 14, 2010, at 9:41 AM, Riccardo Veraldi wrote:

> actually I can use -Zs flag in ra to have the result I was searching from :)
> 
> thank you
> 
> Riccardo
> 
> 
> Riccardo Veraldi wrote:
>> hello,
>> I would like to print all the SYN/ACK occurrence to detect possible SYN flood attacks.
>> 
>> data is collected useing radium and reading from Netflow source.
>> 
>> 
>> I use a filter like this
>> 
>> ra -r radium.out - proto TCP and syn
>> 
>> 
>> Anyway I did not expect to see also FIN packets
>> 
>> 
>> 
>> ra -r radium.out - proto TCP and syn | grep FIN
>> 
>> 
>>  11:55:54.832000 Ne         tcp          1.8.247.1.http      ->          100.0.7.3.19333         4        216   FIN
>>  11:55:53.648000 Ne         tcp           1.1.97.1.http      ->          100.0.7.3.61745         4        216   FIN
>>  11:55:54.000000 Ne         tcp        100.0.194.1.http      ->          100.0.7.3.9159          3        565   FIN
>>  11:55:54.600000 Ne         tcp           1.0.78.6.http      ->          100.0.7.3.62652         3        164   FIN
>>  11:55:54.864000 Ne         tcp         197.0.23.1.http      ->          100.0.7.3.11496         4        216   FIN
>>  11:55:55.916000 Ne         tcp          1.1.104.1.http      ->          100.0.7.3.3783          3        164   FIN
>>  11:55:55.092000 Ne         tcp        197.0.111.1.http      ->          100.0.7.3.11604         4        216   FIN
>>  11:55:55.220000 Ne         tcp          1.1.103.1.http      ->          100.0.7.3.7808          3        164   FIN
>>  11:55:55.988000 Ne         tcp          1.8.247.1.http      ->          100.0.7.3.19342         3        164   FIN
>>  11:55:56.036000 Ne         tcp         197.0.78.3.http      ->          100.0.7.3.9540          4        216   FIN
>>  11:55:56.112000 Ne         tcp          1.1.109.1.http      ->          100.0.7.3.5153          3        164   FIN
>>  11:55:56.256000 Ne         tcp          1.12.83.1.http      ->          100.0.7.3.22307         3        164   FIN
>>  11:55:56.264000 Ne         tcp          1.8.247.1.http      ->          100.0.7.3.19349         4        216   FIN
>>  11:55:56.324000 Ne         tcp           1.0.44.1.http      ->          100.0.7.3.9434          3        164   FIN
>>  11:55:56.372000 Ne         tcp          1.8.247.1.http      ->          100.0.7.3.19351         4        216   FIN
>> 
>> 
>> is this normal ?
>> 
>> shouldn't I See only something like CON or EST or ACC ?
>> 
>> thanks
>> 
>> Riccardo
>> 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100714/bd74cf57/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100714/bd74cf57/attachment.bin>

More information about the argus mailing list