Snort mailing list archives
RE: Nmap
From: <bmcdowell () coxhealthplans com>
Date: Wed, 19 Nov 2003 12:02:31 -0600
You know what, I just realized that I do do some filtering based on the source port: outbound filtering. E.g. iptables -A FORWARD -s [webserver] --sport ! 80 -j DROP There isn't anything wrong with doing that, is there? Bob -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Mark Fagan Sent: Wednesday, November 19, 2003 5:57 AM To: Matt Kettler Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Nmap Hi Matt, I dont actually work with many of the firewalls you mentioned except for the PIX, I also work with Checkpoint and Netscreen. For Checkpoint and Netscreen you would need to really do things arse-ways in order to make such a mistake. I would like to hear any other views on this. Do people really do filtering based on source port ????? Also I have been an MCSE since 3.5 and feel MCSE's tend not to know very much about IP anyway. Cheers Mark Quoting Matt Kettler <mkettler () evi-inc com>:
At 06:13 AM 11/15/2003, Mark Fagan wrote:I dont fully agree here. Unless your using an antique firewall its not possible to allow trafficbasedon source port.To my knowledge every version of IPChains, IPTables, openbsd PF, BSD IPF, Cisco PIX, and Cisco IOS has some form of rule which you can add to force allow traffic to pass the firewall based only on source port. Not that it's a good idea.. but I challenge your assertion that it's not possible on a modern firewall... In fact, I'd be surprised if _any_ major firewalls would flat out refuse such a rule if manually configured to do so.. Maybe some of the more paranoid ones such as the Secure Computing Sidewinder G2 might refuse such things, but certainly there are a large number of major firewalls that will accept such things.Also anyone who (where possible) allows traffic based on source port needs their heads examined.I agree.. that's why I referred to said admins as incompetent. Yes, they do need their heads examined, but there really are admins out there that know absolutely nothing about TCP/IP that are administering firewalls. It's very common for a small company to have a single MCSE guy on staff to run their Windows NT/2k/2003 file servers who is also responsible (by default) for running the firewall.. Not all MCSE's know TCP/IP, and the ones that don't are just going to make up some arbitrary bypass rules to "make it work" without understanding what's going on. This really does happen, and hackers do know it, and do try to take advantage of it.The source port seems spoofed in this example, however B2B applications I have seen previously can use same source as dest port for communication, sodontpanic until you actually investigate the source.In this case it's not the same src/dest port pairing.. it's TCP traffic from a HTTP port to a DNS port.. That traffic pattern is VERY suspect. Sure it's possible that some crack smoking Windows programmer decided that DNS queries should be done using port 80 as a source, and be done using TCP instead of UDP.. but that's not very likely.
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nmap Gerson Sampaio (Nov 14)
- <Possible follow-ups>
- RE: Nmap Esler, Joel - Contractor (Nov 17)
- RE: Nmap MH (Nov 17)
- RE: Nmap bmcdowell (Nov 19)
- Message not available
- RE: Nmap Matt Kettler (Nov 19)
- Message not available