[Snort-users] Odd source port

Kendall Lister krl at ...1908...
Thu Apr 26 20:30:04 EDT 2001


On Thu, 26 Apr 2001, Phil Wood wrote:

> > input ACCEPT eth1 PROTO=6 63.230.69.10:13117 xxx.xxx.xxx.xxx:21 L=60
> > S=0x00 I=48855 F=0x4000 T=36 SYN (#39)
> > 
> > 13117 is suspiciously similar to 31337 - I'm curious to know if this is
> > part of a known modus operandi?
> 
> Let's assume that there are no bad guys (just for a sec).  The above
> packet is the first of a TCP three-way "call establishment" handshake
> attempting to establish a connection to an FTP server on
> xxx.xxx.xxx.xxx.  The source port is picked by the client os, so that
> combined with the source and destination IP addresses, and destination
> port it is UNIQUE for that client. A common way to assign a client
> source port is to bump a port number, see if it is not in use, and
> then make the connection to the server.
> 
> Example from my system:

Hi Phil,

Thanks a lot for your detailed response - I knew most of it already, but
it always helps to be reassured. I understand the possibility that port
13117 could be a fluke, and also that an incomer could arbitrarily choose
it. What I'm wondering is if anyone else has seen it with enough
regularity to suggest a particular (exploit) client - I have searched and
not found any references to it. If anyone has seen it in your logs, feel
free to contact me off the list to discuss it further, and then we can
report back if anything comes of it...

Kendall
krl at ...1907...





More information about the Snort-users mailing list