[Snort-users] Help! udp port 0 ?! Pls tell me I am wrong..

rick sun.admin at ...530...
Wed Sep 19 23:40:03 EDT 2001


Hi Gurus,

I am still very new to snort. I was check my log and I saw something very
interesting which I can't explain. I've seen something like that a lots of
time , my box is sending out icmp port unreachable to 205.188.153.X (icq
servers) , and I am running icq.

[**] [1:402:1] ICMP Destination Unreachable (Port Unreachable) [**]
09/19-02:17:36.066612 a.b.c.20 -> 205.188.153.99
ICMP TTL:64 TOS:0x0 ID:2112 IpLen:20 DgmLen:56 DF
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
205.188.153.99:0 -> a.b.c.20:0
UDP TTL:231 TOS:0x0 ID:47112 IpLen:20 DgmLen:100
** END OF DUMP
To my understanding ..this means 205.188.153.99 sent a udp packet to my box
(a.b.c.20) at port 0, then my box sent an icmp port unreachable packet to
the sender.

Port 0 to Port 0, seems very interesting ..However, when I did a "tcpdump -r
mytcpdumpbinaryfile port 0" , I got nothing....I used ethereal to do a
filtering on port 0..got nothing.. Well..but I saw this

02:17:36.065076 205.188.153.99.53 > a.b.c.20.2234:  1280 [b2&3=0x4d]
[12306a] [51673q] [517n] Type7272 (Class 16384)? . (72) (DF)

Pls note the timestamp. I believe my outgoing icmp packet is responding to
the ??dns query to my udp port 2234

I email icq support and ask them, they said this is not supported.

Here's my question:
1) Did I read the snort log wrong? port 0 -> port 0
2) Why is icq server  initiating a traffic from a low port (53) to my high
port??

Any idea??
thx in advance, I apperciate your help

Rick

PS: Solaris7sparc(64bit) 300Mhz, 4Gb, 128Mb  Snort 181 build 74







More information about the Snort-users mailing list