Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Help interpreting a trace

From: "Chris Eidem" <jceidem () dexma com>
Date: Mon, 22 Oct 2001 08:29:47 -0500
It could be that someone is attempting a scan using ports that you
probably allow through your firewall.  If no other ports are allowed,
trying to sneak a scan in through ports 21, 53, 80, or 443 may get you
more information and nmap allows you to pick a source port for just this
reason.

hth
Chris


-----Original Message-----
From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan () priceline com]
Sent: Friday, October 19, 2001 11:26 AM
To: Snort List (E-mail)
Subject: [Snort-users] Help interpreting a trace


Running latest Snort on RH Linux 7.

Occasionally, I see traces similar to the following, which 
just occured here
yesterday. The src and dst ports are the same. I created a 
custom rule to
check for outgoing connections on port 80 which is what tripped this.
Looking at the TCP settings, both SYN and ACK are set which 
means this is a
response, not an initiated connection from my network. In 
other words, the
unknown server on the Internet had to communicate with my 
server first with
a source port of 80.

Is my interpretation correct? How can someone force a source 
port of 80?
What would be the purpose of doing that anyway since most IDS 
systems would
pick right up on this? Any info is appreaciated since I can't 
seem to find
info on this anywhere else so far.....


10/18-09:43:46.687742 <my web server>:80 -> <unknown server>:80
TCP TTL:128 TOS:0x0 ID:7707 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0x63209372  Ack: 0xB2B2692C  Win: 0x2238  TcpLen: 24
TCP Options (1) => MSS: 1460

10/18-09:55:46.894132 <my web server>:80 -> <unknown server>:80
TCP TTL:128 TOS:0x0 ID:37345 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0x30040264  Ack: 0xDD9B3E9A  Win: 0x2238  TcpLen: 24
TCP Options (1) => MSS: 1460



Thanks,
Paul 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: