[Snort-devel] Snort 2.0 and T/TCP false alarm
shradecky at ...2054...
Thu Jun 26 07:50:04 EDT 2003
I am using Snort 2.0.0 as released April 14th 2003. In addition to the
normal rules I have added a rule logging _all_ traffic in tcpdump, as we
are currently experiencing several attacks, which snort can't account for
Today Snort alerted me of two encounters of T/TCP packets, seemingly
originating from port 0 of sender IP going to port 0 of our server. When I
then checked the tcpdump with ethereal, I was able to exactly identify the
packet by its signature and all other details listed in the Alert, however
both source and destination port were _NOT_ 0. It was actually a regular
and perfectly normal communication to our smtp server. Let me know asap if
you need alert and (excerpt) tcpdump file, as it will scroll off shortly.
More information about the Snort-devel