Query for reset-bit

From NSMWiki

Jump to: navigation, search

Query for reset-bit

Reset bit's, or the abundance of reset bit's, can be an indicator of a more serious problem. To query the sancp table for the "top resetter's" a variation of the following simplified query might help: 

SELECT INET_NTOA(src_ip), INET_NTOA(dst_ip) AS RESET_SOURCE_IP, dst_port, count(*) as COUNT
FROM sancp
FORCE INDEX (start_time)
WHERE sid = 1
AND start_time > DATE_SUB(NOW(), INTERVAL 15 MINUTE)
AND ( dst_flags & 4 = 4 )
GROUP BY src_ip, dst_ip, dst_port
ORDER BY COUNT desc
LIMIT 50


Try a query against your sancp table for other, perhaps more interesting bits :) 

( dst_flags & 64 = 64 or src_flags & 64 = 64 )  /* reserve0 flags set */
( dst_flags & 128 = 128 or src_flags & 128 = 128 )  /* reserve1 flags set */
Retrieved from "http://nsmwiki.org/Query_for_reset-bit"