Snort mailing list archives

Flex Resp Is Resetting The Wrong Port

From: Andy Wood <andy.wood () sptrm com>
Date: Mon, 28 Apr 2003 09:26:10 -0400

        The subject says it all.  It is a very basic rule, just for testing.
Below is the rule:

alert tcp 23.45.130.209 any -> 12.23.8.155 80 (msg:"Test Connection Reset";
resp: rst_all; sid:1001001; rev:1;)

        Notice below that the reset response is happening on tcp port 28,
and the web page still displays.

        Any Ideas??  Thanks!

        Andy


[root@lfw log]# tcpdump -i eth0 -p -n -nn tcp and host 23.45.130.209 and not
port ssh
tcpdump: listening on eth0

19:23:11.016812 23.45.130.209.3811 > 12.23.8.155.80: S
964698099:964698099(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
19:23:11.017066 12.23.8.155.80 > 23.45.130.209.3811: S
1452223348:1452223348(0) ack 964698100 win 5840 <mss 1460,nop,nop,sackOK>
(DF) 

19:23:11.017820 12.23.8.155.28 > 23.45.130.209.3811: R 0:0(0) ack 964698099
win 0 19:23:11.067777 23.45.130.209.3811 > 12.23.8.155.80: . ack 1 win 64240
(DF) 19:23:11.068263 12.23.8.155.28 > 23.45.130.209.3811: R
1452223349:1452223349(0) ack 2 win 0


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Flex Resp Is Resetting The Wrong Port Andy Wood (Apr 28)