[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Filter on packet content

James Cammarata wrote:
> The one thing that stuck out to me was this (from their report): "remote
> host does not discard TCP SYN packets that also have the FIN flag
> set."  This note appeared for every visible server they probed.  Now, I
scrub removes ambiguities, in this case the FIN flag. The servers they
probed never saw the SYN,FIN packets, but since those packets didn't get
dropped either, you/they go this false positive. To confirm the
scrubbing (just to be sure), you could run a tcpdump behind the firewall
and try to get SF packets through it.