[Dshield] Massive port 135 upswing?

Tom Liston tliston at premmag.com
Thu Jun 17 12:49:55 GMT 2004


On 15 Jun 2004 at 11:15, Nels Lindquist wrote:

> Now that I think about it, though, LaBrea wouldn't let 
> the TCP handshake complete anyway, right?  That's how it accomplishes its
> "teergrubbing".

No.  LaBrea allows the three-way handshake to complete.  It just won't let 
the other end send (much) data.  If you're watching those connections with 
Snort, it probably won't get enough data to trigger any complex signature 
(ie. something that triggers off of anything beyond the packet header 
info).

-TL



More information about the list mailing list