[Snort-users] Help interpreting a trace

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Fri Oct 19 09:27:22 EDT 2001


Running latest Snort on RH Linux 7.

Occasionally, I see traces similar to the following, which just occured here
yesterday. The src and dst ports are the same. I created a custom rule to
check for outgoing connections on port 80 which is what tripped this.
Looking at the TCP settings, both SYN and ACK are set which means this is a
response, not an initiated connection from my network. In other words, the
unknown server on the Internet had to communicate with my server first with
a source port of 80.

Is my interpretation correct? How can someone force a source port of 80?
What would be the purpose of doing that anyway since most IDS systems would
pick right up on this? Any info is appreaciated since I can't seem to find
info on this anywhere else so far.....


10/18-09:43:46.687742 <my web server>:80 -> <unknown server>:80
TCP TTL:128 TOS:0x0 ID:7707 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0x63209372  Ack: 0xB2B2692C  Win: 0x2238  TcpLen: 24
TCP Options (1) => MSS: 1460

10/18-09:55:46.894132 <my web server>:80 -> <unknown server>:80
TCP TTL:128 TOS:0x0 ID:37345 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0x30040264  Ack: 0xDD9B3E9A  Win: 0x2238  TcpLen: 24
TCP Options (1) => MSS: 1460



Thanks,
Paul 




More information about the Snort-users mailing list