TCP Flags

All TCP flags that are present in TCP packets that generate iptables log messages are reported by psad. In the case of the WEB-PHP Setup.php access attack, the particular TCP packet that triggers the fwsnort policy to trigger a log message is part of an established TCP session, and so the ACK and PSH flags are reported as being set at ©. The prefix [1] SID2281 ESTAB (©) also clearly indicates that the packet is logged by an fwsnort chain that is making use of state matching to track established TCP connections, so the attacker cannot force fwsnort to generate the log message just by spoofing a TCP ACK packet that contains the /Setup.php string from an arbitrary source address.

Was this article helpful?

0 0

Post a comment