Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Wrong port numbers - Snort or ACID bug - how to fix?

From: "Semerjian, Ohanes" <ohanes.semerjian () au mci com>
Date: Thu, 1 May 2003 15:27:33 +0800
I hope this will be of assistance to you. ICMP don't use ports...? as it is
not layer three protocol, so what u r seeing in the payload is the original
packet that cause the ICMP packet due to some kind of error. Now let agree
on one thing and that is what u r capturing with u r sniffer is the most
correct info u could depend on. I don't what is the layout at u r site but
depend on the captured packets to analysis and understand what going on at u
r site.
 

Best Regards 

Ohanes Semerjian 
Security Engineer, AsiaPac 
International Security Group  (Central Services) 
WorldCom International 

Ph:(02) 9434 5636 
Mob: 0410 657 249 

PGP kEY 
75DF 2980 5663 2DC1 12CD  E43E 94D6 7A9A 222D 3449 

-----Original Message-----
From: Jerry.L.Rose () saj02 usace army mil
[mailto:Jerry.L.Rose () saj02 usace army mil]
Sent: Thursday, 1 May 2003 3:53 AM
To: snort-users () lists sourceforge net; acidlab-users () lists sourceforge net
Subject: [Snort-users] Wrong port numbers - Snort or ACID bug - how to fix?



Hello all, 

I am running Snort Version 2.0.0 (Build 72)and barnyard version 0.1.0-beta6
on my NID sensors, ACID v0.9.6b21 on the webserver, and MySQL on the
database server. All are running on Linux RedHat 8.0 boxes.

Here's my problem... 
I'm getting some ICMP alerts that show unusual original source and original
destination ports in the payload section. I set up a sniffer on the same
network segment as my NIDS and managed to capture the same ICMP packet on
both the sensor and sniffer for further investigation. My snort database
shows the original source port as port 16675 and the original destination
port as 14179. My sniffer shows the original source port as port 80 and the
original destination port as 1052. I am assuming that the data get's
converted improperly somewhere between Snort, barnyard, and ACID.

It seems to me that I've seen this problem somewhere before, but can't seem
to find the solution. Any ideas? I'm guessing that this is an ACID problem,
but am not sure.

Jerry Rose 
Network Security Administrator 
U.S. Army Corps of Engineers 
Jacksonville District
Previous By Date Next
Previous By Thread Next

Current thread: