[Snort-users] Nmap

Matt Kettler mkettler at ...4108...
Fri Nov 14 09:05:22 EST 2003


At 08:19 AM 11/14/2003, Gerson Sampaio wrote:
>Hi List,
>i received this alert and i'd like to know why the
>source is using port 80. Is this forged ?
>
>11/13-17:26:42.075512 [**] [1:628:2] SCAN nmap TCP
>[**] [Classification: Attempted Information Leak]
>[Priority: 2] {TCP} x.x.x.x:80 -> y.y.y.y:53

No, it's very common for people doing network scans to use port 80 as a 
source port in order to bypass very poorly configured firewalls.

Some incompetent admins just do an absolute pass of any tcp from port 80, 
without regards for destination port, flags, or state... Even a stateless 
packet filter can be made to at least require an ack-bit to be set and 
require the dest port to be >= 1024.






More information about the Snort-users mailing list