Snort mailing list archives
Re: TCP ******S* portscan "SOLVED"
From: Marcel Hauser <marcel_hauser () gmx ch>
Date: Sun, 7 Apr 2002 00:38:46 -0100
Quoting Matt Kettler <mkettler () evi-inc com>: Hi Matt sorry that you had to write such a long mail, in order for me to realize that ftp connection tracking "allowed" those packets!
A stateful policy fixup for active-mode FTP (non passive FTP does initiate syn connections back to the client machine, so if you were doing non-passive mode FTP with 195.186.255.2 being a ftp server and your webserver as a client, you'd see this and the fixup could allow the syn packets past).
ahhh... here we go... that was it... nice to know... that i spent 3 hours in tracking down what could caused those portscans, until i read your mail :) I hope this mail saves someone else the time to track an wrong realized intrusion which wasn't an intrusion :) Thanks for all the help an information i've got from you guys.. i learned a lot (hehe for the next time i get catched by ftp connection tracking :) ) Cheers Marcel _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP ******S* portscan Marcel Hauser (Apr 05)
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan Hauser Marcel (Apr 05)
- Message not available
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan "SOLVED" Marcel Hauser (Apr 06)
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan Ricardo SIGNES (Apr 05)
- <Possible follow-ups>
- RE: TCP ******S* portscan Andrew Blevins (Apr 05)
- RE: TCP ******S* portscan Hauser Marcel (Apr 05)
- RE: TCP ******S* portscan Marcel Hauser (Apr 05)
- Re: TCP ******S* portscan Chris Keladis (Apr 05)
- RE: TCP ******S* portscan Andrew Blevins (Apr 05)