Snort mailing list archives
Help interpreting a trace
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Fri, 19 Oct 2001 12:26:23 -0400
Running latest Snort on RH Linux 7. Occasionally, I see traces similar to the following, which just occured here yesterday. The src and dst ports are the same. I created a custom rule to check for outgoing connections on port 80 which is what tripped this. Looking at the TCP settings, both SYN and ACK are set which means this is a response, not an initiated connection from my network. In other words, the unknown server on the Internet had to communicate with my server first with a source port of 80. Is my interpretation correct? How can someone force a source port of 80? What would be the purpose of doing that anyway since most IDS systems would pick right up on this? Any info is appreaciated since I can't seem to find info on this anywhere else so far..... 10/18-09:43:46.687742 <my web server>:80 -> <unknown server>:80 TCP TTL:128 TOS:0x0 ID:7707 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0x63209372 Ack: 0xB2B2692C Win: 0x2238 TcpLen: 24 TCP Options (1) => MSS: 1460 10/18-09:55:46.894132 <my web server>:80 -> <unknown server>:80 TCP TTL:128 TOS:0x0 ID:37345 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0x30040264 Ack: 0xDD9B3E9A Win: 0x2238 TcpLen: 24 TCP Options (1) => MSS: 1460 Thanks, Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help interpreting a trace Sheahan, Paul (PCLN-NW) (Oct 19)
- <Possible follow-ups>
- RE: Help interpreting a trace Chris Eidem (Oct 22)