[Snort-devel] Snort 2.0 and T/TCP false alarm
cmg at ...402...
Mon Jun 30 08:08:17 EDT 2003
Simon Hradecky <shradecky at ...2054...> writes:
> Today Snort alerted me of two encounters of T/TCP packets, seemingly
> originating from port 0 of sender IP going to port 0 of our server. When I
> then checked the tcpdump with ethereal, I was able to exactly identify the
> packet by its signature and all other details listed in the Alert, however
> both source and destination port were _NOT_ 0. It was actually a regular
> and perfectly normal communication to our smtp server. Let me know asap if
> you need alert and (excerpt) tcpdump file, as it will scroll off shortly.
Yeah, the option alerts yell before p->dp & p->sp are set resulting in
the ugly alerts.
Will be fixed sometime soon..
Chris Green <cmg at ...402...>
More information about the Snort-devel