[Snort-users] Help interpreting a trace

Chris Eidem jceidem at ...2191...
Mon Oct 22 06:33:13 EDT 2001


It could be that someone is attempting a scan using ports that you
probably allow through your firewall.  If no other ports are allowed,
trying to sneak a scan in through ports 21, 53, 80, or 443 may get you
more information and nmap allows you to pick a source port for just this
reason.

hth
Chris

> -----Original Message-----
> From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan at ...2218...]
> Sent: Friday, October 19, 2001 11:26 AM
> To: Snort List (E-mail)
> Subject: [Snort-users] Help interpreting a trace
> 
> 
> Running latest Snort on RH Linux 7.
> 
> Occasionally, I see traces similar to the following, which 
> just occured here
> yesterday. The src and dst ports are the same. I created a 
> custom rule to
> check for outgoing connections on port 80 which is what tripped this.
> Looking at the TCP settings, both SYN and ACK are set which 
> means this is a
> response, not an initiated connection from my network. In 
> other words, the
> unknown server on the Internet had to communicate with my 
> server first with
> a source port of 80.
> 
> Is my interpretation correct? How can someone force a source 
> port of 80?
> What would be the purpose of doing that anyway since most IDS 
> systems would
> pick right up on this? Any info is appreaciated since I can't 
> seem to find
> info on this anywhere else so far.....
> 
> 
> 10/18-09:43:46.687742 <my web server>:80 -> <unknown server>:80
> TCP TTL:128 TOS:0x0 ID:7707 IpLen:20 DgmLen:44 DF
> ***A**S* Seq: 0x63209372  Ack: 0xB2B2692C  Win: 0x2238  TcpLen: 24
> TCP Options (1) => MSS: 1460
> 
> 10/18-09:55:46.894132 <my web server>:80 -> <unknown server>:80
> TCP TTL:128 TOS:0x0 ID:37345 IpLen:20 DgmLen:44 DF
> ***A**S* Seq: 0x30040264  Ack: 0xDD9B3E9A  Win: 0x2238  TcpLen: 24
> TCP Options (1) => MSS: 1460
> 
> 
> 
> Thanks,
> Paul 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list