======
Description
======
This backend watches for external IP addresses initiating connections
across your local wire.

Suppose you have an internal network setup where you allow people to 
initiate connections to the outside world but do not allow externally
initiated connections to terminate on internal machines (ESTABLISHED in
cisco lingo, or maybe some statefull filter like FW1, SunScreen, or ipfil).

Seeing TCP connections with the SYN flag set in these situations would
indicate a break in perimiter security [ie dual homed machine, crossed 
networks or the fact that your filters might not be doing what you expected].

In addition, we flag on packets with SYN and any other tcp flags set 
except for RST. This is due to end systems handling them in different
ways - to wit: MS NT treats a SYN|FIN as a raw SYN and happily returns
a SYN|ACK. This should alert you of more sophisticated attempts to circumvent
filters.

note: the list of networks that are considered internal is kept in a global
variable called my_networks inside of $NFRHOME/library/values.nfr
 simply create
      my_networks = [ 192.168.1.0:255.255.255.0 ]; 
 or whatever your internal networks are.


mudge@l0pht.com