What does this Snort alert mean?
What does this Snort alert mean?
I examined a packet capture with Snort and received an alert about malware. The message read: [**] [ 129 : 15 : 1 ] Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] for the malware alert. I gathered many details, but this specific reset outside window alert didn’t provide much useful information. It would be very helpful if someone could clarify what this alert means and when it might occur. Thank you.
They likely received a TCP reset packet after closing the connection, or in a situation where such resets aren't allowed because of the current constraints. Some systems react badly to unexpected traffic patterns, which can lead to unusual behavior and even security risks. This could be part of an automated vulnerability test, but it also happens randomly—like packets being sent incorrectly and taking much longer than expected, possibly causing the window to shift.
I've noticed clients sending [RST,ACK] after every [FIN,ACK] to the server. Probably to close the connection once it's done. There are also cases where [RST] and [RST,ACK] were sent right after the first [RST,ACK], as shown in an attached image. The snort alert mentioned at the start seems related to the final [RST,ACK]. This pattern has appeared repeatedly during captures. If this looks like an attack, it might be a DOS attempt to force the client's port closure. I'm not certain why a server would target a client trying to connect. My second thought is that the initial [RST,ACK] sent by the client could have been lost, though I'm not sure if that's the cause. Any ideas or possibilities you have would be appreciated.
I’m not very familiar with TCP details, but this piece seems useful. I’m not contributing anything else.