[Snort-users] Calling all packet monkeys

Paul Schmehl pauls at ...6838...
Wed Mar 23 12:17:35 EST 2005


--On Wednesday, March 23, 2005 07:00:59 AM -0800 SN ORT 
<snort_on_acid at ...131...> wrote:

> Hehe ..."someone brought in a laptop with a foreign
> IP"    now there would be a sight to see, plugging in
> your own IP and then expecting it to route back in...
>
> OK, so Hi Paul in Dallas. I suspect that the TCP
> session may have been started by an internal host that
> was src: 161, dst: 135 and that the return traffic is
> the answer to an established session over port 135,
> and that your ACL allows established sessions first?
>
That's one possibility.

> Just making sure, is the snmp traffic blocked at both
> UDP and TCP? Hope this helps..
>
Default policy is deny.  Neither 161/udp nor 161/tcp is allowed.  We see 
responses (blocked of course) in the PIX logs from our host/0 to foreign 
host/135 and foreign host/8000.

It's a curiosity more than anything else.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list