[Snort-users] null scan without port number
mkettler at ...4108...
Mon Sep 27 08:53:10 EDT 2004
At 06:23 PM 9/25/2004, Annie Green wrote:
>What it means when there's "null scan" alert without any port number?
>Source port and destination port are 'none'.
That sounds like a bug, since null scans can only happen in TCP. However,
it might mean that the src and dest port are both 0 in the packet.
What snort version are you using?
Are you using some kind of report interpreter (ie: ACID) or is this present
in the logs snort directly generates?
Can you give an example alert (censor IPs if you wish)?
More information about the Snort-users