RE: bad traffic tcp port 0 traffic

["John York" <YorkJ () brcc edu>]

I've been seeing a fair amount of that traffic as well.  When I trace
the source, it often turns out to be video or music.  The kids in our
computer labs are pretty adept at finding P2P or clandestine music
sources.
Thanks
John
John York

Network Engineer
Blue Ridge Community College
1 College Lane/P.O. Box 80
Weyers Cave, VA  24486

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Miller,
Eoin
Sent: Monday, October 28, 2002 4:43 PM
To: John McCain; snort-users () lists sourceforge net
Subject: RE: [Snort-users] bad traffic tcp port 0 traffic

that specific one there looks to be a SOCKS proxy scan, being that the
destination port is 1080:
http://www.portsdb.org/bin/portsdb.cgi?search=1080

my guess as to why the source port is set to 0 is to get past more
firewalls, many people forget that 0 is a number, and they may block
1-65535 and leave out port 0. 

from the IPFilter mailing list:
--begin snip--
Note that both the source port is zero, and they've turned on both
TH_SYN
and TH_FIN on the packet. Both of these are undoubtably in an attempt
to bypass a firewall.
--end snip--
http://false.net/ipfilter/1998_07/0012.html

thats just my guess though.

> -----Original Message-----
> From: John McCain [mailto:jmccain () layer3al com]
> Sent: Monday, October 28, 2002 3:11 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] bad traffic tcp port 0 traffic
>
>
> I've seen several scans, from several different addresses and 
> targeting
> different ports, which are originating from TCP port 0, thus tripping
> the "bad traffic tcp port 0" rule.  Does anyone know what this traffic
> is?  Why would you want to launch a scan from tcp port 0?
>
> begin sanitized log snip
>
> 10/14-02:37:47.357584 ,BAD TRAFFIC tcp port 0
> traffic,TCP,66.250.114.252,0,(target
> ip),1080,0:8:E2:84:90:A,0:D0:B7:47:81:67,0x3C,******S*,0x15BEF
> ,0x0,20,0x200,111,0,1828,40,20,,,,
>
> /snip
>
>
> Thanks.
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users