Help interpreting a trace

["Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>]

Running latest Snort on RH Linux 7.

Occasionally, I see traces similar to the following, which just occured here
yesterday. The src and dst ports are the same. I created a custom rule to
check for outgoing connections on port 80 which is what tripped this.
Looking at the TCP settings, both SYN and ACK are set which means this is a
response, not an initiated connection from my network. In other words, the
unknown server on the Internet had to communicate with my server first with
a source port of 80.

Is my interpretation correct? How can someone force a source port of 80?
What would be the purpose of doing that anyway since most IDS systems would
pick right up on this? Any info is appreaciated since I can't seem to find
info on this anywhere else so far.....


10/18-09:43:46.687742 <my web server>:80 -> <unknown server>:80
TCP TTL:128 TOS:0x0 ID:7707 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0x63209372  Ack: 0xB2B2692C  Win: 0x2238  TcpLen: 24
TCP Options (1) => MSS: 1460

10/18-09:55:46.894132 <my web server>:80 -> <unknown server>:80
TCP TTL:128 TOS:0x0 ID:37345 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0x30040264  Ack: 0xDD9B3E9A  Win: 0x2238  TcpLen: 24
TCP Options (1) => MSS: 1460



Thanks,
Paul 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users