[Snort-users] Flex Resp Is Resetting The Wrong Port

Andy Wood andy.wood at ...9040...
Mon Apr 28 06:31:12 EDT 2003


	The subject says it all.  It is a very basic rule, just for testing.
Below is the rule:

alert tcp 23.45.130.209 any -> 12.23.8.155 80 (msg:"Test Connection Reset";
resp: rst_all; sid:1001001; rev:1;)

	Notice below that the reset response is happening on tcp port 28,
and the web page still displays.

	Any Ideas??  Thanks!

	Andy


[root at ...9041... log]# tcpdump -i eth0 -p -n -nn tcp and host 23.45.130.209 and not
port ssh
tcpdump: listening on eth0

19:23:11.016812 23.45.130.209.3811 > 12.23.8.155.80: S
964698099:964698099(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
19:23:11.017066 12.23.8.155.80 > 23.45.130.209.3811: S
1452223348:1452223348(0) ack 964698100 win 5840 <mss 1460,nop,nop,sackOK>
(DF) 

19:23:11.017820 12.23.8.155.28 > 23.45.130.209.3811: R 0:0(0) ack 964698099
win 0 19:23:11.067777 23.45.130.209.3811 > 12.23.8.155.80: . ack 1 win 64240
(DF) 19:23:11.068263 12.23.8.155.28 > 23.45.130.209.3811: R
1452223349:1452223349(0) ack 2 win 0




More information about the Snort-users mailing list