Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question

From: John Sage <jsage () finchhaven com>
Date: Thu, 29 Nov 2001 20:44:01 -0800
Beau:
After a quick look there are several rules of type "bad-unknown" in snort 1.8.2 ftp.rules 

(I looked at those because of the dest port 21)
Without you showing more, it's hard to say which one specifically triggered this, and most of the rules seem to have the ACK flag set...
One odd thing, though, is the source port 20 (which is usually the for the ftp data connection) and destination port 21 (which is the ftp control connection)
That's not right: *if* you were offering ftp service, one would expect a high source port on their end, SYN flag set, to your port 21, and then data transfers would be *from* your 20 to another high port on their end... 

- John

Beau Mersereau wrote:


I've had about 12000 alerts in the three weeks or so.  No big deal...
Pretty much all Nimda, etc.  I got a new one today, though...

Source Port 20
Dest Port   21
Syn         x
Sex#        2607314233



heh.. seq?


Ack         0
offset      5
res         0
window      16383
urp         0
chksum      64923

The classification was <bad unknown>.






_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: