[Snort-users] Odd source port

swilcoxon at ...1927... swilcoxon at ...1927...
Fri Apr 27 09:51:24 EDT 2001


Also, keep in mind that NAT based firewalls often end up using high numbered
ports for traffic they are forwarding (specially Linux based ones).

> -----Original Message-----
> From: Phil Wood [mailto:cpw at ...440...]
> Sent: Thursday, April 26, 2001 10:05 PM
> To: Kendall Lister
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Odd source port
> 
> 
> Hi again,
> 
> I didn't say it out right, but when I see a high source port 
> on the first
> packet of a tcp 3way handshake to one of the classic service 
> ports that
> is attacked by ramen, 1i0n, and such scripts, I think either, 
> this guy is
> scanning and happened to hit my address space after having 
> possibly scanned
> other networks or, he's using a host that's been up a long 
> long time and
> the high source port's number just came up naturally in the 
> course of things.
> If I wasn't running an ftp server (in this case), then I'd be 
> pretty sure
> that I was seeing a scan for wu-ftpd vulnerability number x.
> 
> All ports look suspicious to me.  Especially when I'm running a true
> client with no services to offer and every one in the world is hitting
> me up for port 21, 25, 53, 80, 109, 110, 111, 515, ...
> 
> Good Luck,
> 
> Phil
> 
<SNIP>




More information about the Snort-users mailing list