Snort mailing list archives
SCAN Amanda and port 0 traffic
From: Clayton Mascarenhas <masclaythesnort () yahoo com>
Date: Tue, 25 Mar 2003 14:57:37 -0800 (PST)
Dear List, I have two questions. Firstly, I got this alert. 01/29-00:45:00.105251 [**] [1:634:2] SCAN Amanda client version request [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 1.12.13.14:841-> 2.23.24.25:10080 My understanding is that Snort caught a udp packet (containing the word amanda and I guess asking for the version of the amanda client program running) going to Amanda program running on 2.23.24.25. My understanding in the Amanda software is not good... but..why would anyone want to send a udp packet to this software package running on that host?? Do they get any info back? Does it cause any harm to the host machine? Shud I be worried about this alert? Why does it say "request" as in SCAN Amanda client version "request". Second question is with regards to the tcp traffic sent to port 0. Snort catches this traffic and lists this as BAD traffic to port 0. Is it at all harmful if our host machines receive traffic to port 0? If not .. what gain does an attacker get out of this?? Thanks all :-). --------------------------------- Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
Current thread:
- SCAN Amanda and port 0 traffic Clayton Mascarenhas (Mar 25)
- Re: SCAN Amanda and port 0 traffic Matt Kettler (Mar 25)