Snort mailing list archives

RE: Unknown port traffic....

From: Clifford Durbin <CDurbin () toddpacific com>
Date: Thu, 26 Sep 2002 14:02:51 -0700

Brian,

Thanks for the information. I stopped the IPSec service but still get the
same information. Not sure what service would be controlling h.323 though I
am looking. 

-cfd

-----Original Message-----
From: Brian F. Vaughan [mailto:bvaughan () wgen net]
Sent: Thursday, September 26, 2002 12:19 PM
To: Clifford Durbin; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Unknown port traffic....


Clifford,

Port 1120 is used by Win2k for IPSec, this is the most likely cause for the
port activity you are seeing.

Brian Vaughan
IT Administrator
Wireless Generation, Inc.


-----Original Message-----
From: Clifford Durbin [mailto:CDurbin () toddpacific com]
Sent: Thursday, September 26, 2002 2:35 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Unknown port traffic....


Can anybody give me some insight what the heck is using port 1120 and 1900?

From what I've read 1900 is UPnP on XP and ME but my machine

(xxx.xxx.xxx.165) is a 2K server and the recipient address (xxx.xxx.xxx.161)
is a Cisco router. Looking through the Internet Asignment Authority port
assignments page (http://www.iana.org/assignments/port-numbers) it lists
port 1900 as SSDP (Simple Service Discovery Protocol) and 1120 isn't even
listed. I get these approximately every 30 seconds.

[**] ICMP Destination Unreachable (Port Unreachable) [**]
09/26-10:11:28.577837 xxx.xxx.xxx.161 -> xxx.xxx.xxx.165
ICMP TTL:255 TOS:0xC0 ID:60478 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
xxx.xxx.xxx.165:1120 -> xxx.xxx.xxx.161:1900
UDP TTL:127 TOS:0x0 ID:23456 IpLen:20 DgmLen:160
Len: 140
** END OF DUMP
00 00 00 00 45 00 00 A0 5B A0 00 00 7F 11 EF 32  ....E...[......2
CF 99 A8 A5 CF 99 A8 A1 04 60 07 6C 00 8C 9D E2  .........`.l....

Clifford Durbin
Sr. Systems Administrator
Todd Pacific Shipyards
Phone : 206-623-1635 x234
Fax : 206-442-8506
Email : cdurbin () toddpacific com <mailto:cdurbin () toddpacific com>




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Unknown port traffic.... Clifford Durbin (Sep 26)
- <Possible follow-ups>
- RE: Unknown port traffic.... Brian F. Vaughan (Sep 26)
- RE: Unknown port traffic.... Brian F. Vaughan (Sep 26)
- RE: Unknown port traffic.... Clifford Durbin (Sep 26)