Snort Output Question From Walker Practice Book

IronmanXIronmanX Member Posts: 323 ■■■□□□□□□□
Snort Output Question


basically the question has
190.168.5.12:33541 -> 213.132.44.56:23
***A**S* ...........
TCP Options (4) => MSS:1460 NOP NOPSackOK
..........................
...............
....

Answers:
A. The capture indicates a NOP sled attack
B. The packet shows step 2 of a TCP handshake
C. The packet source is 213.132.44.56
D. Shows an SSH session attempt.


So I picked "A" NOP Sled. Even though I know a NOP sled would have way more NOPs (The idea being to NOP past the buffer limit)


The book says B is correct. How can this be? Why would a client (port 33541) being sending a Syn/Ack to a server (port 23 telnet)????
Am i correct in my logic or am I missing something?
Sign In or Register to comment.