Snort mailing list archives
RE: bad traffic tcp port 0 traffic
From: "John York" <YorkJ () brcc edu>
Date: Mon, 28 Oct 2002 17:16:23 -0500
I've been seeing a fair amount of that traffic as well. When I trace the source, it often turns out to be video or music. The kids in our computer labs are pretty adept at finding P2P or clandestine music sources. Thanks John John York Network Engineer Blue Ridge Community College 1 College Lane/P.O. Box 80 Weyers Cave, VA 24486 -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Miller, Eoin Sent: Monday, October 28, 2002 4:43 PM To: John McCain; snort-users () lists sourceforge net Subject: RE: [Snort-users] bad traffic tcp port 0 traffic that specific one there looks to be a SOCKS proxy scan, being that the destination port is 1080: http://www.portsdb.org/bin/portsdb.cgi?search=1080 my guess as to why the source port is set to 0 is to get past more firewalls, many people forget that 0 is a number, and they may block 1-65535 and leave out port 0. from the IPFilter mailing list: --begin snip-- Note that both the source port is zero, and they've turned on both TH_SYN and TH_FIN on the packet. Both of these are undoubtably in an attempt to bypass a firewall. --end snip-- http://false.net/ipfilter/1998_07/0012.html thats just my guess though.
-----Original Message----- From: John McCain [mailto:jmccain () layer3al com] Sent: Monday, October 28, 2002 3:11 PM To: snort-users () lists sourceforge net Subject: [Snort-users] bad traffic tcp port 0 traffic I've seen several scans, from several different addresses and targeting different ports, which are originating from TCP port 0, thus tripping the "bad traffic tcp port 0" rule. Does anyone know what this traffic is? Why would you want to launch a scan from tcp port 0? begin sanitized log snip 10/14-02:37:47.357584 ,BAD TRAFFIC tcp port 0 traffic,TCP,66.250.114.252,0,(target ip),1080,0:8:E2:84:90:A,0:D0:B7:47:81:67,0x3C,******S*,0x15BEF ,0x0,20,0x200,111,0,1828,40,20,,,, /snip Thanks. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- bad traffic tcp port 0 traffic John McCain (Oct 28)
- <Possible follow-ups>
- RE: bad traffic tcp port 0 traffic Miller, Eoin (Oct 28)
- RE: bad traffic tcp port 0 traffic John York (Oct 28)