Snort Output Question From Walker Practice Book
Snort Output Question
basically the question has
190.168.5.12:33541 -> 213.132.44.56:23
***A**S* ...........
TCP Options (4) => MSS:1460 NOP NOPSackOK
..........................
...............
....
Answers:
A. The capture indicates a NOP sled attack
B. The packet shows step 2 of a TCP handshake
C. The packet source is 213.132.44.56
D. Shows an SSH session attempt.
So I picked "A" NOP Sled. Even though I know a NOP sled would have way more NOPs (The idea being to NOP past the buffer limit)
The book says B is correct. How can this be? Why would a client (port 33541) being sending a Syn/Ack to a server (port 23 telnet)????
Am i correct in my logic or am I missing something?
basically the question has
190.168.5.12:33541 -> 213.132.44.56:23
***A**S* ...........
TCP Options (4) => MSS:1460 NOP NOPSackOK
..........................
...............
....
Answers:
A. The capture indicates a NOP sled attack
B. The packet shows step 2 of a TCP handshake
C. The packet source is 213.132.44.56
D. Shows an SSH session attempt.
So I picked "A" NOP Sled. Even though I know a NOP sled would have way more NOPs (The idea being to NOP past the buffer limit)
The book says B is correct. How can this be? Why would a client (port 33541) being sending a Syn/Ack to a server (port 23 telnet)????
Am i correct in my logic or am I missing something?