Rule: -- Sid: 111-5 -- Summary: This event is generated when the pre-processor stream4 detects network traffic that may constitute an attack. -- Impact: Unknown. -- Detailed Information: This event indicates that the pre-processor stream4 has detected a packet with only the SYN flag set that contains a payload. A packet with this flag set is meant to only set up a session between a client and server. Any data in a packet of this kind indicates malicious activity is taking place. -- Affected Systems: All systems -- Attack Scenarios: An attacker can attempt to evade an IDS by sending a malicious payload in a packet designed to set up a session. -- Ease of Attack: Moderate. -- False Positives: None Known. -- False Negatives: None Known. -- Corrective Action: Check the target host for signs of compromise. Ensure the system is up to date with any appropriate vendor supplied patches. -- Contributors: Martin Roesch <roesch@sourcefire.com> Sourcefire Vulnerability Research Team Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: --
