[Snort-users] Question

John Sage jsage at ...2022...
Thu Nov 29 20:45:01 EST 2001


After a quick look there are several rules of type "bad-unknown" in 
snort 1.8.2 ftp.rules

(I looked at those because of the dest port 21)

Without you showing more, it's hard to say which one specifically 
triggered this, and most of the rules seem to have the ACK flag set...

One odd thing, though, is the source port 20 (which is usually the for 
the ftp data connection) and destination port 21 (which is the ftp 
control connection)

That's not right: *if* you were offering ftp service, one would expect a 
high source port on their end, SYN flag set, to your port 21, and then 
data transfers would be *from* your 20 to another high port on their end...

- John

Beau Mersereau wrote:

> I've had about 12000 alerts in the three weeks or so.  No big deal...
> Pretty much all Nimda, etc.  I got a new one today, though...
> Source Port 20
> Dest Port   21
> Syn         x
> Sex#        2607314233

heh.. seq?

> Ack         0
> offset      5
> res         0
> window      16383
> urp         0
> chksum      64923
> The classification was <bad unknown>.

More information about the Snort-users mailing list