[Snort-users] False Alert and IP Number

John Sage jsage at ...2022...
Sat Sep 15 08:31:01 EDT 2001




Alerts "..of the NetMetro Backdoor kind.." (your words: do you mean 
that's the specific ID being returned?) seem to trigger on tcp packets 
with a source port 5031, a destination port 1024, and both the ACK and 
SYN flags set.

Are these characteristic of the packets you're seeing?

- John

John Sage
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."

George D. Nincehelser wrote:

> I'm not sure if this is the appropriate list, but here's somthing odd I
> noticed.
> I don't think it is any problem with Snort, but I'm not sure why it is
> happening.
> I've had Snort running for some time on our DSL link attached to our
> development lab.  Recently, the DSL provider filed for bankruptcy, so our
> development systems were switched to another DSL provider.  Snort went along
> for the ride.
> Due to limited IP space on the new link, several of the development servers
> were "stacked" onto one public IP number via NAT instead of each having own
> distinct public IP.
> Since doing this, I've started getting alerts of the NetMetro Backdoor kind.
> However, the traffic is innocent and normal for our product.
> The only difference is the "stacked" public IP situation.  The alerts
> started immediately after the IP change, and never occured before.
> Is it reasonable to think that the port-stacking and NAT is altering the
> packets in a way that just happens to look like suspicous traffic?  (The
> traffic causing this is between SCO Unix boxes running a custom application)
> Thoughts?
> Thanks

More information about the Snort-users mailing list