[Snort-users] PortScan stupid Question
jan at ...206...
Thu Oct 12 06:55:05 EDT 2000
> 188.8.131.52:80 -> xxx.xxx.xxx.xxx:1145 UNKNOWN 2*S***A* RESERVED BITS
Don't use your real IPs in MLs and Usenet.
> I think my users are connected to 184.108.40.206:80 and then when the host
> re-open port on the over side on a port >1024 it detect a portscan
I think you have encountered a thing me and Jim Forster (hi) came
across recently, too. Whenever you make a TCP connection to a
certain host, its reply has some strange flags set in the TCP
header. This is probably caused by a semi-experimental
implementation of ECN, which uses these bits. These are not
normally used in the TCP three way handshake, so they're
considered a portscan.
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...
More information about the Snort-users