[Snort-devel] a doozie of a metaphysical question

Erik Fichtner emf at ...28...
Wed Jun 13 09:58:09 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jun 12, 2001 at 10:35:05PM -0400, tlewis at ...255... wrote:
> If you see a UDP packet with a source port of 123 (NTP) and a destination
> port of 53 (DNS), then what protocol should you assume is used in that
> packet?  

You shouldn't assume anything, IMHO.  NTP and DNS both have nice identifying
characteristics inside the packet.   Couple extra checks, but it shouldn't
affect the overall processing time in any terribly significant way..

- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7J3FwQ7EzrewLMS0RAt2HAJwP973V2aX7H8ELsWlwNDMxSwJgDQCfX3Zi
+nisYKRigU8DLntvcdpgMXw=
=YVbA
-----END PGP SIGNATURE-----




More information about the Snort-devel mailing list