[Snort-users] Nmap

Mark Fagan r00t at ...10564...
Sat Nov 15 10:09:04 EST 2003


I dont fully agree here.

Unless your using an antique firewall its not possible to allow traffic based 
on source port.

Also anyone who (where possible) allows traffic based on source port needs 
their heads examined.

The source port seems spoofed in this example, however B2B applications I have 
seen previously can use same source as dest port for communication, so dont 
panic until you actually investigate the source.

Cheers

Mark


Quoting Matt Kettler <mkettler at ...4108...>:

> At 08:19 AM 11/14/2003, Gerson Sampaio wrote:
> >Hi List,
> >i received this alert and i'd like to know why the
> >source is using port 80. Is this forged ?
> >
> >11/13-17:26:42.075512 [**] [1:628:2] SCAN nmap TCP
> >[**] [Classification: Attempted Information Leak]
> >[Priority: 2] {TCP} x.x.x.x:80 -> y.y.y.y:53
> 
> No, it's very common for people doing network scans to use port 80 as a 
> source port in order to bypass very poorly configured firewalls.
> 
> Some incompetent admins just do an absolute pass of any tcp from port 80, 
> without regards for destination port, flags, or state... Even a stateless 
> packet filter can be made to at least require an ack-bit to be set and 
> require the dest port to be >= 1024.
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: ApacheCon 2003,
> 16-19 November in Las Vegas. Learn firsthand the latest
> developments in Apache, PHP, Perl, XML, Java, MySQL,
> WebDAV, and more! http://www.apachecon.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 







More information about the Snort-users mailing list