[Snort-users] Nmap

Matt Kettler mkettler at ...4108...
Wed Nov 19 17:38:07 EST 2003

At 06:57 AM 11/19/2003, Mark Fagan wrote:
>Do people really do filtering based on source port ?????

Yes, people really do make this mistake.. I'm not making it up.. believe it 
or not, stupid people exist ;)

As evidence that it's not just me, this is a common enough firewall flaw 
that there's even an option in nmap to take advantage of this mistake..

from the nmap manpage:

        -g <portnumber>
            Sets  the source port number used in scans.  Many naive fire­
               wall and packet filter installations  make  an  exception  in
               their  ruleset  to allow DNS (53) or FTP-DATA (20) packets to
               come through and establish a connection.  Obviously this com­
               pletely  subverts  the  security  advantages  of the firewall
               since intruders can just masquerade as FTP or DNS by  modify­
               ing  their  source port.  Obviously for a UDP scan you should
               try 53 first and TCP scans should try  20  before  53.   Note
               that this is only a request -- nmap will honor it only if and
               when it is able to.  For example, you can't do TCP  ISN  sam­
               pling  all  from  one  host:port  to  one  host:port, so nmap
               changes the source port even if you used -g.

More information about the Snort-users mailing list