Snort mailing list archives

Re: Nmap

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 18 Nov 2003 11:52:11 -0500

At 06:13 AM 11/15/2003, Mark Fagan wrote:

I dont fully agree here.

Unless your using an antique firewall its not possible to allow traffic based
on source port.

To my knowledge every version of IPChains, IPTables, openbsd PF, BSD IPF,Cisco PIX, and Cisco IOS has some form of rule which you can add to forceallow traffic to pass the firewall based only on source port.

Not that it's a good idea.. but I challenge your assertion that it's notpossible on a modern firewall... In fact, I'd be surprised if _any_ majorfirewalls would flat out refuse such a rule if manually configured to doso.. Maybe some of the more paranoid ones such as the Secure ComputingSidewinder G2 might refuse such things, but certainly there are a largenumber of major firewalls that will accept such things.

Also anyone who (where possible) allows traffic based on source port needs
their heads examined.

I agree.. that's why I referred to said admins as incompetent. Yes, they doneed their heads examined, but there really are admins out there that knowabsolutely nothing about TCP/IP that are administering firewalls. It's verycommon for a small company to have a single MCSE guy on staff to run theirWindows NT/2k/2003 file servers who is also responsible (by default) forrunning the firewall..

Not all MCSE's know TCP/IP, and the ones that don't are just going to makeup some arbitrary bypass rules to "make it work" without understandingwhat's going on. This really does happen, and hackers do know it, and dotry to take advantage of it.

The source port seems spoofed in this example, however B2B applications Ihave
seen previously can use same source as dest port for communication, so dont
panic until you actually investigate the source.

In this case it's not the same src/dest port pairing.. it's TCP trafficfrom a HTTP port to a DNS port.. That traffic pattern is VERY suspect.

Sure it's possible that some crack smoking Windows programmer decided thatDNS queries should be done using port 80 as a source, and be done using TCPinstead of UDP.. but that's not very likely.





-------------------------------------------------------
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Nmap Gerson Sampaio (Nov 14)
- Re: Nmap Matt Kettler (Nov 14)
  - Re: Nmap Mark Fagan (Nov 15)
    - Re: Nmap Matt Kettler (Nov 18)
    - Re: Nmap Mark Fagan (Nov 19)
    - Re: Nmap Matt Kettler (Nov 19)
- <Possible follow-ups>
- RE: Nmap Esler, Joel - Contractor (Nov 17)
- RE: Nmap MH (Nov 17)
- RE: Nmap bmcdowell (Nov 19)
  - Message not available
    - RE: Nmap Matt Kettler (Nov 19)
- RE: Nmap Marc Quibell (Nov 20)