[Snort-users] just curious

Matt Kettler mkettler at ...4108...
Tue Dec 17 11:36:02 EST 2002


Hmm, what was the source-port, just a random one? Anything at all familiar 
about the source IP?

Also, before I look too closely at the data, are you sure that's the actual 
data (ie: is the original EXACTLY 110 byes long, and contains no non-ASCII 
bytes)? A quick casual inspection of that string doesn't ring a bell, but 
if there's bytes missing.... well...


If it's not 110 bytes, send a hexdump of the real data (yes, hexdump is the 
name of a unix utility for dumping binary hex values). Trying to email a 
binary that's been copy-pasted as text worthless.. any spot there's a 00 
byte it will be dropped, among lots of other bytes.

For what it's worth, Port 14000 seems to be a default port for Inprise 
Visibroker..


At 01:18 AM 12/17/2002 -0600, Ronneil Camara wrote:
>Would you know guys what this string means?
>B at ...4772...%mqqu?**rrr+vli`kq`w+fjh*fbl(glk*kum(bj+fbl*44444*3=2121257c25273c2=2<7`3 
>220342731262130277`363c3a7c3632su
>It's because, I was seeing a syn connection to my firewall on port 14000
>but my firewall was blocking it. So I opened up that port and created
>a netcat listener. That's the string that I captured.
>So what is it?
>Neil





More information about the Snort-users mailing list