[Snort-sigs] SID 524 submission

Todd O'Boyle oboyle at ...8...
Wed Mar 27 21:31:03 EST 2002


All, here's a little bit of information I scrapped together on SID 524. 
If you know anything else about TCP port 0 traffic, please feel free to
add.

-Todd
-- 
Todd O'Boyle
-------------- next part --------------
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule: BAD TRAFFIC tcp port 0 traffic

--
Sid: 524

--
Summary: Attackers sending packets to TCP port 0.

--
Impact: Little to none.  There are no known operating systems that will
abend because of a packet sent to TCP port 0.

--
Detailed Information: These packets are generally seen with source and
destination port of zero (which is invalid) and many of the other fields
in the packet will be zero including the ACK number, the SEQ number.  They
sometimes contain incorrect checksums.

--
Attack Scenarios: Attackers may use source and/or destination port zero to
perform reconnaissance on a network.

--
Ease of Attack: Extremely easy.

--
False Positives: None.

--
False Negatives: As this is easy to detect, false negatives should be minimal.

--
Corrective Action: Filter port 0 at your network boundary or at the host level.

--
Contributors:

-- 
Additional References: intrusions at ...473...


More information about the Snort-sigs mailing list