[Snort-users] bad traffic tcp port 0 traffic

Miller, Eoin Miller at ...6968...
Mon Oct 28 13:44:04 EST 2002


that specific one there looks to be a SOCKS proxy scan, being that the destination port is 1080:
http://www.portsdb.org/bin/portsdb.cgi?search=1080

my guess as to why the source port is set to 0 is to get past more firewalls, many people forget that 0 is a number, and they may block 1-65535 and leave out port 0. 

from the IPFilter mailing list:
--begin snip--
Note that both the source port is zero, and they've turned on both TH_SYN
and TH_FIN on the packet. Both of these are undoubtably in an attempt
to bypass a firewall.
--end snip--
http://false.net/ipfilter/1998_07/0012.html

thats just my guess though.

> -----Original Message-----
> From: John McCain [mailto:jmccain at ...7336...]
> Sent: Monday, October 28, 2002 3:11 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] bad traffic tcp port 0 traffic
> 
> 
> I've seen several scans, from several different addresses and 
> targeting
> different ports, which are originating from TCP port 0, thus tripping
> the "bad traffic tcp port 0" rule.  Does anyone know what this traffic
> is?  Why would you want to launch a scan from tcp port 0?
> 
> begin sanitized log snip
> 
> 10/14-02:37:47.357584 ,BAD TRAFFIC tcp port 0
> traffic,TCP,66.250.114.252,0,(target
> ip),1080,0:8:E2:84:90:A,0:D0:B7:47:81:67,0x3C,******S*,0x15BEF
> ,0x0,20,0x200,111,0,1828,40,20,,,,
> 
> /snip
> 
> 
> Thanks.
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list