GEN:SID 1:1431
Message BAD-TRAFFIC syn to multicast address
Summary This event is generated when packets with the SYN flag set are sent to
multicast addresses.
Impact Possible reconnaisance or evidence of a Denial of Service (DoS) attack.
Detailed Information Under normal circumstances packets with the SYN flag set should not be
sent to multicast addresses.

If the attacker has spoofed a multicast address when sending a SYN flood
attack this traffic will be seen.

an indicator of unauthorized network use, reconnaisance activity or
system compromise. These rules may also generate an event due to
improperly configured network devices.
Affected Systems Any
Attack Scenarios The attacker may have intiated an attack and could have spoofed a
multicast address as the source.
Ease of Attack Simple
Corrective Action Employ filtering at the firewall.
Additional References