[Snort-sigs] RE: Snort-sigs digest, Vol 1 #246 - 8 msgs

wh1ten0ise at ...366... wh1ten0ise at ...366...
Thu May 30 20:19:03 EDT 2002

>Early morning, first light, ssh in from home to office (NOT x11, NOT
>tunneled x11) get 465 snort alerts against the x11.rules
>(snort 1.87Beta5, including x11.rules)
>Freebsd 4.5
> egrep -c ^TCP
>snort sig says flags A+ (Ack plus anything?)
>Many of the packets logged had AP (Ack and Psh)
>TCP:  port=6000 -> dport: 22  flags=***AP*** seq=401500876
>egrep -c '^TCP.*\*AP\*'
>Many only had A
>TCP:  port=6000 -> dport: 22  flags=***A**** seq=401492556
> egrep -c  '^TCP.*\*A\*'
>So, question one:
>why did snort record those 47 rules?
>I thought A+ ment the Ack flag any at least one more flag?

The rule is written to trigger any time someone uses port 6000.
Port 600 is the normal listener port for X11.  
When you create a conversation (any socket connection) your IP stack
will allocate some random available socket.  You got lucky and drew
port 6000 as the originating port.  Therefore you had a conversation 
on port 6000.  As far as snort is concerned, you are X11.

The right solution would be to change the flags on the rule to have
flags=SA so we have to have a 'new conversation with port 6000 as the
active listener port.


Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop at ...367...! http://shopnow.netscape.com/

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

More information about the Snort-sigs mailing list