[Snort-users] tcp/510 probe

jess at ...521... jess at ...521...
Tue Nov 28 06:03:37 EST 2000


	Hi, folks!

	Yesterday, I received a probe to tcp/510. As far as I know, this
port is associated with the FirstClass Mail Server. I don't know much
about it, but I've been gathering some info and it looks like it runs over
Mac (does it work on other platforms?), having free clients for
UNIX/Windows. I haven't been able to find any info on security problems
with it.

11/26-10:16:21.069471 204.182.234.16:510 -> my_host:510
TCP TTL:235 TOS:0x0 ID:61610 
******S* Seq: 0x3000000   Ack: 0x0   Win: 0x3FFF

	A couple of funny things about this:

	- Very "nice" sequence number to be random: 0x3000000 
	  (coincidence?)

	- Window size: 0x3fff (16383) 
	  (I don't know of any OS using that Window Size. As far as I
	   know, the closest are AIX, which sets it to 16000-16100 but
	   with a TTL of 60 and Windows 2k setting it to 17000-18000 but
	   with a TTL of 128)

	Just one (probably crafted) SYN packet coming from Hawaii Online.
Has anyone experienced the same? Does anyone know about any broken client
that might produce a packet like that? 

	Cheers,

								JESS




More information about the Snort-users mailing list