[Snort-users] ssh-tunnel between sensor and database-server
sblinux at ...9344...
Fri Aug 27 19:44:08 EDT 2004
On August 25, 2004 9:47 am, Steffen Maetzky (extern) wrote:
> I have build an ssh-tunnel between my snort-sensor and my
> database-server and it seems to work.
> I had like to control this with tcpdump and it shows something like
> "IP1".32817 > "IP2".22
> "IP2".22 > "IP1".32817
> I expect port 3306 instead of 32817 and that confuses me.
> Can anyone explain me why 32817 is used?
> Does ssh "hide" the source-port by using it?
> Thanks in advance,
The 32817 is the outgoing source port from your snort sensor to your ssh
server. Only a destination is a designated port, whereas originating port
numbers are random numbers >1024. What your looking at is the ssh traffic,
not the traffic crossing the tunnel.
More information about the Snort-users