[Snort-users] Odd source port

Phil Wood cpw at ...440...
Thu Apr 26 14:17:50 EDT 2001

On Thu, Apr 26, 2001 at 11:27:35PM +1000, Kendall Lister wrote:
> Hello,
> This does not relate directly to snort, but I hope that someone recognises
> it anyway...
> My firewall (xxx.xxx.xxx.xxx) was hit by this packet yesterday morning:
> input ACCEPT eth1 PROTO=6 xxx.xxx.xxx.xxx:21 L=60
> S=0x00 I=48855 F=0x4000 T=36 SYN (#39)
> 13117 is suspiciously similar to 31337 - I'm curious to know if this is
> part of a known modus operandi?

Let's assume that there are no bad guys (just for a sec).  The above packet
is the first of a TCP three-way "call establishment" handshake attempting
to establish a connection to an FTP server on xxx.xxx.xxx.xxx.  The source
port is picked by the client os, so that combined with the source and
destination IP addresses, and destination port it is UNIQUE for that client.
A common way to assign a client source port is to bump a port number, see
if it is not in use, and then make the connection to the server.

Example from my system:

11:38:26.772651 client.1061 > server.ftp: S 2854564041:2854564041(0) win 5840 <mss 1460,sackOK,timestamp 5345072[|tcp]> (DF)
11:38:31.615826 client.1062 > server.ftp: S 2857523568:2857523568(0) win 5840 <mss 1460,sackOK,timestamp 5345556[|tcp]> (DF)
11:38:39.110572 client.1063 > server.ftp: S 2860196158:2860196158(0) win 5840 <mss 1460,sackOK,timestamp 5346305[|tcp]> (DF)

Notice the monotonically increasing source port number.  (I've made about
40 outgoing connections since booting this morning.  Or, maybe its 64552
having been up for a month on my cablemodem , and having wrapped after
reaching 65535 searching the web 24 hours a day.)

Now, let's assume there are bad guys.  If a bad guy wants to find out who
in the world is running an ftp server, he could set up to loop through some
number of IP addresses (millions, spread out over multiple disparate
networks).  In so doing his client port, for each initial connection (SYN)
packet, would increment each time, and easily reach 13317(leelt), or
31337(eleet) or wrap and reach 1024(lo??) again.

Still assuming there are bad guys.  They could fiddle with the source port
and make it anything they want.  

So, the answer is, it all depends.  You might want to research the source
address (assuming it is not spoofed).  Maybe it is a legitimate attempt
to connect to your ftp server.  But, maybe you don't run that service.  
Then you could be a little more sure that it is some kind of information
gathering going on.

Hope this helps,


> Thanks,
> Kendall
> krl at ...1907...
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Phil Wood, cpw at ...440...

More information about the Snort-users mailing list