Snort mailing list archives
Re: Question
From: John Sage <jsage () finchhaven com>
Date: Thu, 29 Nov 2001 20:44:01 -0800
Beau:After a quick look there are several rules of type "bad-unknown" in snort 1.8.2 ftp.rules
(I looked at those because of the dest port 21)Without you showing more, it's hard to say which one specifically triggered this, and most of the rules seem to have the ACK flag set...
One odd thing, though, is the source port 20 (which is usually the for the ftp data connection) and destination port 21 (which is the ftp control connection)
That's not right: *if* you were offering ftp service, one would expect a high source port on their end, SYN flag set, to your port 21, and then data transfers would be *from* your 20 to another high port on their end...
- John Beau Mersereau wrote:
I've had about 12000 alerts in the three weeks or so. No big deal... Pretty much all Nimda, etc. I got a new one today, though... Source Port 20 Dest Port 21 Syn x Sex# 2607314233
heh.. seq?
Ack 0 offset 5 res 0 window 16383 urp 0 chksum 64923 The classification was <bad unknown>.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users