Re: Calling all packet monkeys

[Paul Schmehl <pauls () utdallas edu>]

--On Wednesday, March 23, 2005 07:00:59 AM -0800 SN ORT 
<snort_on_acid () yahoo com> wrote:

> Hehe ..."someone brought in a laptop with a foreign
> IP"    now there would be a sight to see, plugging in
> your own IP and then expecting it to route back in...
>
> OK, so Hi Paul in Dallas. I suspect that the TCP
> session may have been started by an internal host that
> was src: 161, dst: 135 and that the return traffic is
> the answer to an established session over port 135,
> and that your ACL allows established sessions first?
That's one possibility.

> Just making sure, is the snmp traffic blocked at both
> UDP and TCP? Hope this helps..
Default policy is deny.  Neither 161/udp nor 161/tcp is allowed.  We see 
responses (blocked of course) in the PIX logs from our host/0 to foreign 
host/135 and foreign host/8000.

It's a curiosity more than anything else.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
Embedded(r) & Windows Mobile(tm) platforms, applications & content.  Register
by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users