[Snort-users] bad traffic tcp port 0 traffic

John McCain jmccain at ...7336...
Mon Oct 28 13:14:03 EST 2002


I've seen several scans, from several different addresses and targeting
different ports, which are originating from TCP port 0, thus tripping
the "bad traffic tcp port 0" rule.  Does anyone know what this traffic
is?  Why would you want to launch a scan from tcp port 0?

begin sanitized log snip

10/14-02:37:47.357584 ,BAD TRAFFIC tcp port 0
traffic,TCP,66.250.114.252,0,(target
ip),1080,0:8:E2:84:90:A,0:D0:B7:47:81:67,0x3C,******S*,0x15BEF,0x0,20,0x200,111,0,1828,40,20,,,,

/snip


Thanks.





More information about the Snort-users mailing list