[Snort-users] Nmap

Mark Fagan r00t at ...10564...
Wed Nov 19 03:58:03 EST 2003

Hi Matt,

I dont actually work with many of the firewalls you mentioned except for the 
PIX, I also work with Checkpoint and Netscreen.

For Checkpoint and Netscreen you would need to really do things arse-ways in 
order to make such a mistake.

I would like to hear any other views on this.

Do people really do filtering based on source port ?????

Also I have been an MCSE since 3.5 and feel MCSE's tend not to know very much 
about IP anyway.



Quoting Matt Kettler <mkettler at ...4108...>:

> At 06:13 AM 11/15/2003, Mark Fagan wrote:
> >I dont fully agree here.
> >
> >Unless your using an antique firewall its not possible to allow traffic
> based
> >on source port.
> To my knowledge every version of IPChains, IPTables, openbsd PF, BSD IPF, 
> Cisco PIX, and Cisco IOS has some form of rule which you can add to force 
> allow traffic to pass the firewall based only on source port.
> Not that it's a good idea.. but I challenge your assertion that it's not 
> possible on a modern firewall... In fact, I'd be surprised if _any_ major 
> firewalls would flat out refuse such a rule if manually configured to do 
> so.. Maybe some of the more paranoid ones such as the Secure Computing 
> Sidewinder G2 might refuse such things, but certainly there are a large 
> number of major firewalls that will accept such things.
> >Also anyone who (where possible) allows traffic based on source port needs
> >their heads examined.
> I agree.. that's why I referred to said admins as incompetent. Yes, they do
> need their heads examined, but there really are admins out there that know 
> absolutely nothing about TCP/IP that are administering firewalls. It's very
> common for a small company to have a single MCSE guy on staff to run their 
> Windows NT/2k/2003 file servers who is also responsible (by default) for 
> running the firewall..
> Not all MCSE's know TCP/IP, and the ones that don't are just going to make 
> up some arbitrary bypass rules to "make it work" without understanding 
> what's going on. This really does happen, and hackers do know it, and do 
> try to take advantage of it.
> >The source port seems spoofed in this example, however B2B applications I 
> >have
> >seen previously can use same source as dest port for communication, so
> dont
> >panic until you actually investigate the source.
> In this case it's not the same src/dest port pairing.. it's TCP traffic 
> from a HTTP port to a DNS port.. That traffic pattern is VERY suspect.
> Sure it's possible that some crack smoking Windows programmer decided that 
> DNS queries should be done using port 80 as a source, and be done using TCP
> instead of UDP.. but that's not very likely.

More information about the Snort-users mailing list