procana at ...4296...
Mon Nov 17 09:44:07 EST 2003
The reason the alert fired was because the ack flag
was set and the ack field value was 0.
As far as the source port being set to 80, this
in conjuction with the ack flag used to confuse
The rational was that if internal traffic was allowed
to access external web sites and the firewall didn't
maintain state, this traffic could slip into the internal
network. Almost all *modern* firewalls maintain state
and this traffic is blocked. Also, the 0 ack number
with the ack flag set really makes it stick out.
Hope this helps,
More information about the Snort-users