[Snort-users] False Alert and IP Number
jsage at ...2022...
Sat Sep 15 08:31:01 EDT 2001
Alerts "..of the NetMetro Backdoor kind.." (your words: do you mean
that's the specific ID being returned?) seem to trigger on tcp packets
with a source port 5031, a destination port 1024, and both the ACK and
SYN flags set.
Are these characteristic of the packets you're seeing?
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."
George D. Nincehelser wrote:
> I'm not sure if this is the appropriate list, but here's somthing odd I
> I don't think it is any problem with Snort, but I'm not sure why it is
> I've had Snort running for some time on our DSL link attached to our
> development lab. Recently, the DSL provider filed for bankruptcy, so our
> development systems were switched to another DSL provider. Snort went along
> for the ride.
> Due to limited IP space on the new link, several of the development servers
> were "stacked" onto one public IP number via NAT instead of each having own
> distinct public IP.
> Since doing this, I've started getting alerts of the NetMetro Backdoor kind.
> However, the traffic is innocent and normal for our product.
> The only difference is the "stacked" public IP situation. The alerts
> started immediately after the IP change, and never occured before.
> Is it reasonable to think that the port-stacking and NAT is altering the
> packets in a way that just happens to look like suspicous traffic? (The
> traffic causing this is between SCO Unix boxes running a custom application)
More information about the Snort-users