Snort mailing list archives
RE: Wrong port numbers - Snort or ACID bug - how to fix?
From: "Semerjian, Ohanes" <ohanes.semerjian () au mci com>
Date: Thu, 1 May 2003 15:27:33 +0800
I hope this will be of assistance to you. ICMP don't use ports...? as it is not layer three protocol, so what u r seeing in the payload is the original packet that cause the ICMP packet due to some kind of error. Now let agree on one thing and that is what u r capturing with u r sniffer is the most correct info u could depend on. I don't what is the layout at u r site but depend on the captured packets to analysis and understand what going on at u r site. Best Regards Ohanes Semerjian Security Engineer, AsiaPac International Security Group (Central Services) WorldCom International Ph:(02) 9434 5636 Mob: 0410 657 249 PGP kEY 75DF 2980 5663 2DC1 12CD E43E 94D6 7A9A 222D 3449 -----Original Message----- From: Jerry.L.Rose () saj02 usace army mil [mailto:Jerry.L.Rose () saj02 usace army mil] Sent: Thursday, 1 May 2003 3:53 AM To: snort-users () lists sourceforge net; acidlab-users () lists sourceforge net Subject: [Snort-users] Wrong port numbers - Snort or ACID bug - how to fix? Hello all, I am running Snort Version 2.0.0 (Build 72)and barnyard version 0.1.0-beta6 on my NID sensors, ACID v0.9.6b21 on the webserver, and MySQL on the database server. All are running on Linux RedHat 8.0 boxes. Here's my problem... I'm getting some ICMP alerts that show unusual original source and original destination ports in the payload section. I set up a sniffer on the same network segment as my NIDS and managed to capture the same ICMP packet on both the sensor and sniffer for further investigation. My snort database shows the original source port as port 16675 and the original destination port as 14179. My sniffer shows the original source port as port 80 and the original destination port as 1052. I am assuming that the data get's converted improperly somewhere between Snort, barnyard, and ACID. It seems to me that I've seen this problem somewhere before, but can't seem to find the solution. Any ideas? I'm guessing that this is an ACID problem, but am not sure. Jerry Rose Network Security Administrator U.S. Army Corps of Engineers Jacksonville District
Current thread:
- RE: Wrong port numbers - Snort or ACID bug - how to fix? Semerjian, Ohanes (May 01)