[Snort-devel] Snort 2.0 and T/TCP false alarm

Simon Hradecky shradecky at ...2054...
Thu Jun 26 07:50:04 EDT 2003


I am using Snort 2.0.0 as released April 14th 2003. In addition to the 
normal rules I have added a rule logging _all_ traffic in tcpdump, as we 
are currently experiencing several attacks, which snort can't account for 
(OpenSSL attacks).

Today Snort alerted me of two encounters of T/TCP packets, seemingly 
originating from port 0 of sender IP going to port 0 of our server. When I 
then checked the tcpdump with ethereal, I was able to exactly identify the 
packet by its signature and all other details listed in the Alert, however 
both source and destination port were _NOT_ 0. It was actually a regular 
and perfectly normal communication to our smtp server. Let me know asap if 
you need alert and (excerpt) tcpdump file, as it will scroll off shortly.


More information about the Snort-devel mailing list