[Snort-sigs] SID 524 submission

David Wilburn bug at ...270...
Thu Mar 28 05:48:06 EST 2002


I've always been a bit unclear on this sig.  Don't some versions of IRIX
listen on port 0 for some bizarre reason?

-Dave Wilburn

On Wed, Mar 27, 2002 at 10:15:46AM -0600, Todd O'Boyle wrote:
> All, here's a little bit of information I scrapped together on SID 524. 
> If you know anything else about TCP port 0 traffic, please feel free to
> add.
> 
> -Todd
> -- 
> Todd O'Boyle
> # This is a template for submitting snort signature descriptions to
> # the snort.org website
> #
> # Ensure that your descriptions are your own
> # and not the work of others.  References in the rules themselves
> # should be used for linking to other's work. 
> #
> # If you are unsure of some part of a rule, use that as a commentary
> # and someone else perhaps will be able to fix it.
> # 
> # $Id$
> #
> # 
> 
> Rule: BAD TRAFFIC tcp port 0 traffic
> 
> --
> Sid: 524
> 
> --
> Summary: Attackers sending packets to TCP port 0.
> 
> --
> Impact: Little to none.  There are no known operating systems that will
> abend because of a packet sent to TCP port 0.
> 
> --
> Detailed Information: These packets are generally seen with source and
> destination port of zero (which is invalid) and many of the other fields
> in the packet will be zero including the ACK number, the SEQ number.  They
> sometimes contain incorrect checksums.
> 
> --
> Attack Scenarios: Attackers may use source and/or destination port zero to
> perform reconnaissance on a network.
> 
> --
> Ease of Attack: Extremely easy.
> 
> --
> False Positives: None.
> 
> --
> False Negatives: As this is easy to detect, false negatives should be minimal.
> 
> --
> Corrective Action: Filter port 0 at your network boundary or at the host level.
> 
> --
> Contributors:
> 
> -- 
> Additional References: intrusions at ...473...





More information about the Snort-sigs mailing list