Our sensors are false negative on all syn ack scans that are received. Is there a signature current on the ids that will capture the following?
1 2006-11-14 14:27:04.287620 202.103.178.165 my.net.163.77 TCP http > 21129 [SYN, ACK] Seq=0 Ack=0 Win=0 Len=0 MSS=0
cut
10 2006-11-14 14:27:06.868677 202.103.178.165 my.net.251.125 TCP http > 606 [SYN, ACK] Seq=0 Ack=0 Win=0 Len=0 MSS=0