Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: the meaning with arrows in alerts?

From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Mon, 6 Aug 2001 16:18:42 +0300
Hi!


found this in my log:

[**] [1:356:2] FTP passwd retreval attempt [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/06-14:10:46.916395 x.x.x.11:25733 -> x.x.x.8:21
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:149
***AP*** Seq: 0xDA6FB967  Ack: 0x63800E38  Win: 0x2798  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS213]

Now, normally, you would say the attempt was from .11 address, the IP

shown

before the '->' TO the IP after the '->'.

But I have a feeling, if you look at the port numbers, that its the

way around, or?

No, it is from ...11 to ...8. This alert is caused when an FTP client
tries to retrieve the passwd file by sending command 'get /etc/passwd'
or something like that. The command is sent from client (port > 1023) to
FTP server via the FTP command channel (port 21).

Yours,

Jyri Hovila

Information Security Specialist
Tel: +358-41-448 3238
E-mail: jyri.hovila () iki fi

Certifications:
http://www.brainbench.com/transcript.jsp?pid=2301241
 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: