[Snort-users] Null Scan

Peter Charbonneau Peter.Charbonneau at ...1479...
Mon Mar 5 07:30:47 EST 2001


Good Morning,

  Any thoughts as to why the following would show up as a NULL SCAN?

--
[**]  <xl1> IDS04 - SCAN-NULL Scan [**]
03/05-07:21:26.811166 62.67.64.80:18245 -> 137.x.y.z:21504
--

($HOME_NET obscured to protect the innocent)

PeteC

Peter Charbonneau
Sr. Networks and Systems Administrator
Williams College
(413) 597-3408
(209) 391- 9821 (fax)
----- Original Message -----
From: "Ralf Hildebrandt" <Ralf.Hildebrandt at ...821...>
To: "Snort Users" <snort-users at lists.sourceforge.net>
Cc: "Jim Forster" <jforster at ...176...>
Sent: Monday, March 05, 2001 6:41 AM
Subject: Re: [Snort-users] Just FYI


> On Fri, Mar 02, 2001 at 03:55:59PM +0100, Ralf Hildebrandt wrote:
>
> > Some stuff:
> >
> > * Many rules with ":1023" are falsely labeled as "< 1023"; must be "<
1024" or
> >   "<= 1023"
> >
> > * The rule "MISC source port 53 to <1024" has the same text for both UDP
and
> >   TCP; I propose "MISC source port 53 to <1024 (UDP)" and "MISC source
port
> >   53 to <1024 (UDP)"
>
> Some more:
>
> * The Wingate rule is duplicated; one with port 1080 and once with both
1080
>   and 8080 as destination port
>
> --
> ralf.hildebrandt at ...821...
> System Engineer                                            innominate AG
> Diplom-Informatiker                                 the linux architects
> tel: +49.30.308806-62  fax: -698                      www.innominate.com
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>





More information about the Snort-users mailing list