[Snort-users] PortScan stupid Question

Jan Muenther jan at ...206...
Thu Oct 12 06:55:05 EDT 2000


Hi there,

> 231.193.0.30:80 -> xxx.xxx.xxx.xxx:1145 UNKNOWN 2*S***A* RESERVED BITS
		     ^^^^^^^^^^^^^^^
Don't use your real IPs in MLs and Usenet.
 
> I think my users are connected to 231.193.0.30:80 and then when the host
> re-open port on the over side on a port >1024 it detect a portscan

I think you have encountered a thing me and Jim Forster (hi) came
across recently, too. Whenever you make a TCP connection to a
certain host, its reply has some strange flags set in the TCP
header. This is probably caused by a semi-experimental
implementation of ECN, which uses these bits. These are not
normally used in the TCP three way handshake, so they're
considered a portscan. 

Bye, Jan

-- 
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...



More information about the Snort-users mailing list