Security Incidents mailing list archives
Re: Snort blah11 signature
From: cedric () THINKERS ORG (Cedric Puddy)
Date: Thu, 6 Jul 2000 07:36:38 -0400
On Wed, 5 Jul 2000, Owen Creger wrote:
My exchange server is setting off the blah11 trojan signature from whitehats.com 1 source, 13 destinations... IDS109/trojan-active-blah11 06/30-14:05:30.263961 172.16.1.17:1042 -> 172.16.4.235:1438 TCP TTL:126 TOS:0x0 ID:19422 DF **S***A* Seq: 0x2C787B4F Ack: 0x2C31B Win: 0x2238 TCP Options => MSS: 1460 Is this normal traffic from exchange, or should I be concerned? Anyone know what port 1042 is used for in Exchange?
Depends what services exchange is providing, and how you have it configured. What I am specificly thinking of is the Microsoft Exchange Mailbox Access Protocol (I don't actually know what it's called, but it's the stuff that passes between the server and exchange client). That protocol works by having the client contact the server on port 135 (RPC). Via RPC, the server assigns two "random" unprivlegded ports to the client (one for the IS, one for the DS). The client then connects back on those ports. You can assign fixed ports to the IS and DS connections by setting registry entries. (This is known to be the way exchange 5.x works. I dunno about 2000 or 4.x, though I suspect that it would remain applicable.) I have no idea if normal exchange traffic might look like blah11. Check and see if you have another unpriv port open to the same destination, for starters, because exchange client traffic should always hold a pair of ports open. -Cedric - | CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services | 118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-741-2157 \____________________________________________________________________ Cedric Puddy, IS Director cedric () thinkers org PGP Key Available at: http://www.thinkers.org/cedric
Current thread:
- Snort blah11 signature Owen Creger (Jul 05)
- Re: Snort blah11 signature Cedric Puddy (Jul 06)
- Re: Snort blah11 signature Phonix (Jul 06)