SCAN Amanda and port 0 traffic

[Clayton Mascarenhas <masclaythesnort () yahoo com>]

Dear List,

I have two questions.

Firstly, I got this alert.

01/29-00:45:00.105251 [**] [1:634:2] SCAN Amanda client version request [**] [Classification: Attempted Information 
Leak] [Priority: 2] {UDP} 1.12.13.14:841-> 2.23.24.25:10080

My understanding is that Snort caught a udp packet (containing the word amanda and I guess asking for the version of 
the amanda client program running) going to Amanda program running on 2.23.24.25. My understanding in the Amanda 
software is not good... but..why would anyone want to send a udp packet to this software package running on that host?? 
Do they get any info back? Does it cause any harm to the host machine? Shud I be worried about this alert? Why does it 
say "request" as in SCAN Amanda client version "request".

Second question is with regards to the tcp traffic sent to port 0. Snort catches this traffic and lists this as BAD 
traffic to port 0. Is it at all harmful if our host machines receive traffic to port 0? If not .. what gain does an 
attacker get out of this??

Thanks all :-).



---------------------------------
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!