[Snort-devel] Snort 2.0 and T/TCP false alarm

Chris Green cmg at ...402...
Mon Jun 30 08:08:17 EDT 2003

Simon Hradecky <shradecky at ...2054...> writes:

> Today Snort alerted me of two encounters of T/TCP packets, seemingly 
> originating from port 0 of sender IP going to port 0 of our server. When I 
> then checked the tcpdump with ethereal, I was able to exactly identify the 
> packet by its signature and all other details listed in the Alert, however 
> both source and destination port were _NOT_ 0. It was actually a regular 
> and perfectly normal communication to our smtp server. Let me know asap if 
> you need alert and (excerpt) tcpdump file, as it will scroll off shortly.

Yeah, the option alerts yell before p->dp & p->sp are set resulting in
the ugly alerts.

Will be fixed sometime soon..
Chris Green <cmg at ...402...>
Eschew obfuscation.

More information about the Snort-devel mailing list