[Snort-users] Nmap

Matt Kettler mkettler at ...4108...
Tue Nov 18 08:52:10 EST 2003

At 06:13 AM 11/15/2003, Mark Fagan wrote:
>I dont fully agree here.
>Unless your using an antique firewall its not possible to allow traffic based
>on source port.

To my knowledge every version of IPChains, IPTables, openbsd PF, BSD IPF, 
Cisco PIX, and Cisco IOS has some form of rule which you can add to force 
allow traffic to pass the firewall based only on source port.

Not that it's a good idea.. but I challenge your assertion that it's not 
possible on a modern firewall... In fact, I'd be surprised if _any_ major 
firewalls would flat out refuse such a rule if manually configured to do 
so.. Maybe some of the more paranoid ones such as the Secure Computing 
Sidewinder G2 might refuse such things, but certainly there are a large 
number of major firewalls that will accept such things.

>Also anyone who (where possible) allows traffic based on source port needs
>their heads examined.

I agree.. that's why I referred to said admins as incompetent. Yes, they do 
need their heads examined, but there really are admins out there that know 
absolutely nothing about TCP/IP that are administering firewalls. It's very 
common for a small company to have a single MCSE guy on staff to run their 
Windows NT/2k/2003 file servers who is also responsible (by default) for 
running the firewall..

Not all MCSE's know TCP/IP, and the ones that don't are just going to make 
up some arbitrary bypass rules to "make it work" without understanding 
what's going on. This really does happen, and hackers do know it, and do 
try to take advantage of it.

>The source port seems spoofed in this example, however B2B applications I 
>seen previously can use same source as dest port for communication, so dont
>panic until you actually investigate the source.

In this case it's not the same src/dest port pairing.. it's TCP traffic 
from a HTTP port to a DNS port.. That traffic pattern is VERY suspect.

Sure it's possible that some crack smoking Windows programmer decided that 
DNS queries should be done using port 80 as a source, and be done using TCP 
instead of UDP.. but that's not very likely.

More information about the Snort-users mailing list