Snort mailing list archives
Wrong port numbers - Snort or ACID bug - how to fix?
From: Jerry.L.Rose () saj02 usace army mil
Date: Wed, 30 Apr 2003 12:52:59 -0500
Hello all, I am running Snort Version 2.0.0 (Build 72)and barnyard version 0.1.0-beta6 on my NID sensors, ACID v0.9.6b21 on the webserver, and MySQL on the database server. All are running on Linux RedHat 8.0 boxes. Here's my problem... I'm getting some ICMP alerts that show unusual original source and original destination ports in the payload section. I set up a sniffer on the same network segment as my NIDS and managed to capture the same ICMP packet on both the sensor and sniffer for further investigation. My snort database shows the original source port as port 16675 and the original destination port as 14179. My sniffer shows the original source port as port 80 and the original destination port as 1052. I am assuming that the data get's converted improperly somewhere between Snort, barnyard, and ACID. It seems to me that I've seen this problem somewhere before, but can't seem to find the solution. Any ideas? I'm guessing that this is an ACID problem, but am not sure. Jerry Rose Network Security Administrator U.S. Army Corps of Engineers Jacksonville District
Current thread:
- Wrong port numbers - Snort or ACID bug - how to fix? Jerry . L . Rose (Apr 30)