jsage at ...2022...
Thu Nov 29 20:45:01 EST 2001
After a quick look there are several rules of type "bad-unknown" in
snort 1.8.2 ftp.rules
(I looked at those because of the dest port 21)
Without you showing more, it's hard to say which one specifically
triggered this, and most of the rules seem to have the ACK flag set...
One odd thing, though, is the source port 20 (which is usually the for
the ftp data connection) and destination port 21 (which is the ftp
That's not right: *if* you were offering ftp service, one would expect a
high source port on their end, SYN flag set, to your port 21, and then
data transfers would be *from* your 20 to another high port on their end...
Beau Mersereau wrote:
> I've had about 12000 alerts in the three weeks or so. No big deal...
> Pretty much all Nimda, etc. I got a new one today, though...
> Source Port 20
> Dest Port 21
> Syn x
> Sex# 2607314233
> Ack 0
> offset 5
> res 0
> window 16383
> urp 0
> chksum 64923
> The classification was <bad unknown>.
More information about the Snort-users