Wrong port numbers - Snort or ACID bug - how to fix?

[Jerry.L.Rose () saj02 usace army mil]

Hello all,

I am running Snort Version 2.0.0 (Build 72)and barnyard version 0.1.0-beta6
on my NID sensors, ACID v0.9.6b21 on the webserver, and MySQL on the
database server. All are running on Linux RedHat 8.0 boxes.

Here's my problem...
I'm getting some ICMP alerts that show unusual original source and original
destination ports in the payload section. I set up a sniffer on the same
network segment as my NIDS and managed to capture the same ICMP packet on
both the sensor and sniffer for further investigation. My snort database
shows the original source port as port 16675 and the original destination
port as 14179. My sniffer shows the original source port as port 80 and the
original destination port as 1052. I am assuming that the data get's
converted improperly somewhere between Snort, barnyard, and ACID.

It seems to me that I've seen this problem somewhere before, but can't seem
to find the solution. Any ideas? I'm guessing that this is an ACID problem,
but am not sure.

Jerry Rose
Network Security Administrator
U.S. Army Corps of Engineers
Jacksonville District