[Snort-users] bad traffic tcp port 0 traffic

John York YorkJ at ...7109...
Mon Oct 28 14:17:06 EST 2002


I've been seeing a fair amount of that traffic as well.  When I trace
the source, it often turns out to be video or music.  The kids in our
computer labs are pretty adept at finding P2P or clandestine music
sources.
Thanks
John
John York

Network Engineer
Blue Ridge Community College
1 College Lane/P.O. Box 80
Weyers Cave, VA  24486

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Miller,
Eoin
Sent: Monday, October 28, 2002 4:43 PM
To: John McCain; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] bad traffic tcp port 0 traffic

that specific one there looks to be a SOCKS proxy scan, being that the
destination port is 1080:
http://www.portsdb.org/bin/portsdb.cgi?search=1080

my guess as to why the source port is set to 0 is to get past more
firewalls, many people forget that 0 is a number, and they may block
1-65535 and leave out port 0. 

from the IPFilter mailing list:
--begin snip--
Note that both the source port is zero, and they've turned on both
TH_SYN
and TH_FIN on the packet. Both of these are undoubtably in an attempt
to bypass a firewall.
--end snip--
http://false.net/ipfilter/1998_07/0012.html

thats just my guess though.

> -----Original Message-----
> From: John McCain [mailto:jmccain at ...7336...]
> Sent: Monday, October 28, 2002 3:11 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] bad traffic tcp port 0 traffic
> 
> 
> I've seen several scans, from several different addresses and 
> targeting
> different ports, which are originating from TCP port 0, thus tripping
> the "bad traffic tcp port 0" rule.  Does anyone know what this traffic
> is?  Why would you want to launch a scan from tcp port 0?
> 
> begin sanitized log snip
> 
> 10/14-02:37:47.357584 ,BAD TRAFFIC tcp port 0
> traffic,TCP,66.250.114.252,0,(target
> ip),1080,0:8:E2:84:90:A,0:D0:B7:47:81:67,0x3C,******S*,0x15BEF
> ,0x0,20,0x200,111,0,1828,40,20,,,,
> 
> /snip
> 
> 
> Thanks.
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list