[Snort-users] null scan without port number

Matt Kettler mkettler at ...4108...
Mon Sep 27 08:53:10 EDT 2004


At 06:23 PM 9/25/2004, Annie Green wrote:
>What it means when there's "null scan" alert without any port number? 
>Source port and destination port are 'none'.

That sounds like a bug, since null scans can only happen in TCP. However, 
it might mean that the src and dest port are both 0 in the packet.

What snort version are you using?

Are you using some kind of report interpreter (ie: ACID) or is this present 
in the logs snort directly generates?

Can you give an example alert (censor IPs if you wish)? 





More information about the Snort-users mailing list