[Snort-users] False Alert and IP Number

John Sage jsage at ...2022...
Sat Sep 15 08:31:01 EDT 2001


George:

See:

http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids79&view=event

Alerts "..of the NetMetro Backdoor kind.." (your words: do you mean 
that's the specific ID being returned?) seem to trigger on tcp packets 
with a source port 5031, a destination port 1024, and both the ACK and 
SYN flags set.

Are these characteristic of the packets you're seeing?


- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."


George D. Nincehelser wrote:

> I'm not sure if this is the appropriate list, but here's somthing odd I
> noticed.
> 
> I don't think it is any problem with Snort, but I'm not sure why it is
> happening.
> 
> I've had Snort running for some time on our DSL link attached to our
> development lab.  Recently, the DSL provider filed for bankruptcy, so our
> development systems were switched to another DSL provider.  Snort went along
> for the ride.
> 
> Due to limited IP space on the new link, several of the development servers
> were "stacked" onto one public IP number via NAT instead of each having own
> distinct public IP.
> 
> Since doing this, I've started getting alerts of the NetMetro Backdoor kind.
> However, the traffic is innocent and normal for our product.
> 
> The only difference is the "stacked" public IP situation.  The alerts
> started immediately after the IP change, and never occured before.
> 
> Is it reasonable to think that the port-stacking and NAT is altering the
> packets in a way that just happens to look like suspicous traffic?  (The
> traffic causing this is between SCO Unix boxes running a custom application)
> 
> Thoughts?
> Thanks






More information about the Snort-users mailing list