Re: Port 0 packets
From: Dave Paris (dparis_at_w3works.com)
Date: 07/25/03
- Previous message: Andreas Östling: "Re: Port 0 packets"
- In reply to: Andreas Östling: "Re: Port 0 packets"
- Next in thread: Toby Miller: "RE: Port 0 packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Jul 2003 14:53:47 -0400 To: Andreas Östling <andreaso@it.su.se>
hrmm.. interesting. There have only been four of these triggered so
far, and SMTP traffic has been flowing continually without any other
false positives or other anomolies. Sounds like it's time to fire up
Ethereal and do a little closer inspection.
Thanks for the heads-up.
-dsp
On Friday, Jul 25, 2003, at 14:18 US/Eastern, Andreas Östling wrote:
>
> On Thu, 24 Jul 2003, Dave Paris wrote:
>
>> Our IDS spotted another TCP port 0 packet at 19:59pm UTC today
>> (Thursday). Headers follow:
>>
>> [**] (snort_decoder): T/TCP Detected [**]
>> 07/24-19:59:51.308749 216.136.173.246:0 -> xxx.xxx.xxx.xxx:0
>
> In case you don't know, snort has a bug (or had - I don't know if it
> has
> been fixed now) that would make those alerts generated by the snort
> decoder to always have the ports set to 0 since those values weren't
> yet
> assigned at that stage.
> See http://marc.theaimsgroup.com/?l=snort-devel&m=105698697005259&w=2
>
> /Andreas
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Andreas Östling: "Re: Port 0 packets"
- In reply to: Andreas Östling: "Re: Port 0 packets"
- Next in thread: Toby Miller: "RE: Port 0 packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
