[Snort-users] ssh-tunnel between sensor and database-server

Sean Brown sblinux at ...9344...
Fri Aug 27 19:44:08 EDT 2004


On August 25, 2004 9:47 am, Steffen Maetzky (extern) wrote:
> I have build an ssh-tunnel between my snort-sensor and my
> database-server and it seems to work.
>
> I had like to control this with tcpdump and it shows something like
> this:
>
> 	"IP1".32817 > "IP2".22
> 	"IP2".22 > "IP1".32817
>
> 	"IP1"=sensor
> 	"IP2"=server
>
> I expect port 3306 instead of 32817 and that confuses me.
>
> Can anyone explain me why 32817 is used?
> Does ssh "hide" the source-port by using it?
>
> Thanks in advance,
>
> Steffen
The 32817 is the outgoing source port from your snort sensor to your ssh 
server. Only a destination is a designated port, whereas originating port 
numbers are random numbers >1024. What your looking at is the ssh traffic, 
not the traffic crossing the tunnel.

-Sean Brown




More information about the Snort-users mailing list