[Snort-users] bad traffic tcp port 0 traffic
YorkJ at ...7109...
Mon Oct 28 14:17:06 EST 2002
I've been seeing a fair amount of that traffic as well. When I trace
the source, it often turns out to be video or music. The kids in our
computer labs are pretty adept at finding P2P or clandestine music
Blue Ridge Community College
1 College Lane/P.O. Box 80
Weyers Cave, VA 24486
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Miller,
Sent: Monday, October 28, 2002 4:43 PM
To: John McCain; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] bad traffic tcp port 0 traffic
that specific one there looks to be a SOCKS proxy scan, being that the
destination port is 1080:
my guess as to why the source port is set to 0 is to get past more
firewalls, many people forget that 0 is a number, and they may block
1-65535 and leave out port 0.
from the IPFilter mailing list:
Note that both the source port is zero, and they've turned on both
and TH_FIN on the packet. Both of these are undoubtably in an attempt
to bypass a firewall.
thats just my guess though.
> -----Original Message-----
> From: John McCain [mailto:jmccain at ...7336...]
> Sent: Monday, October 28, 2002 3:11 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] bad traffic tcp port 0 traffic
> I've seen several scans, from several different addresses and
> different ports, which are originating from TCP port 0, thus tripping
> the "bad traffic tcp port 0" rule. Does anyone know what this traffic
> is? Why would you want to launch a scan from tcp port 0?
> begin sanitized log snip
> 10/14-02:37:47.357584 ,BAD TRAFFIC tcp port 0
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users