[Snort-users] Nmap

MH procana at ...4296...
Mon Nov 17 09:44:07 EST 2003

Hi Gerson,

The reason the alert fired was because the ack flag
was set and the ack field value was 0. 
As far as the source port being set to 80, this
in conjuction with the ack flag used to confuse
some firewalls.  
The rational was that if internal traffic was allowed
to access external web sites and the firewall didn't
maintain state, this traffic could slip into the internal
network.  Almost all *modern* firewalls maintain state
and this traffic is blocked.  Also, the 0 ack number 
with the ack flag set really makes it stick out.

Hope this helps,

More information about the Snort-users mailing list