Re: TCP ******S* portscan "SOLVED"

[Marcel Hauser <marcel_hauser () gmx ch>]

Quoting Matt Kettler <mkettler () evi-inc com>:

Hi Matt

sorry that you had to write such a long mail, in order for me to realize that 
ftp connection tracking "allowed" those packets!

> A stateful policy fixup for active-mode FTP (non passive FTP does initiate 
> syn connections back to the client machine, so if you were doing 
> non-passive mode FTP with 195.186.255.2  being a ftp server and your 
> webserver as a client, you'd see this and the fixup could allow the syn 
> packets past).

ahhh... here we go... that was it... nice to know... that i spent 3 hours in 
tracking down what could caused those portscans, until i read your mail :)

I hope this mail saves someone else the time to track an wrong realized 
intrusion which wasn't an intrusion :)

Thanks for all the help an information i've got from you guys.. i learned a 
lot (hehe for the next time i get catched by ftp connection tracking :) )

Cheers Marcel

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users