Snort mailing list archives
RE: Help interpreting a trace
From: "Chris Eidem" <jceidem () dexma com>
Date: Mon, 22 Oct 2001 08:29:47 -0500
It could be that someone is attempting a scan using ports that you probably allow through your firewall. If no other ports are allowed, trying to sneak a scan in through ports 21, 53, 80, or 443 may get you more information and nmap allows you to pick a source port for just this reason. hth Chris
-----Original Message----- From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan () priceline com] Sent: Friday, October 19, 2001 11:26 AM To: Snort List (E-mail) Subject: [Snort-users] Help interpreting a trace Running latest Snort on RH Linux 7. Occasionally, I see traces similar to the following, which just occured here yesterday. The src and dst ports are the same. I created a custom rule to check for outgoing connections on port 80 which is what tripped this. Looking at the TCP settings, both SYN and ACK are set which means this is a response, not an initiated connection from my network. In other words, the unknown server on the Internet had to communicate with my server first with a source port of 80. Is my interpretation correct? How can someone force a source port of 80? What would be the purpose of doing that anyway since most IDS systems would pick right up on this? Any info is appreaciated since I can't seem to find info on this anywhere else so far..... 10/18-09:43:46.687742 <my web server>:80 -> <unknown server>:80 TCP TTL:128 TOS:0x0 ID:7707 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0x63209372 Ack: 0xB2B2692C Win: 0x2238 TcpLen: 24 TCP Options (1) => MSS: 1460 10/18-09:55:46.894132 <my web server>:80 -> <unknown server>:80 TCP TTL:128 TOS:0x0 ID:37345 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0x30040264 Ack: 0xDD9B3E9A Win: 0x2238 TcpLen: 24 TCP Options (1) => MSS: 1460 Thanks, Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help interpreting a trace Sheahan, Paul (PCLN-NW) (Oct 19)
- <Possible follow-ups>
- RE: Help interpreting a trace Chris Eidem (Oct 22)