Re: 0 Protocol?

[Jeff Kell <jeff-kell () utc edu>]

Mike Koponick wrote:

> I was wondering if anyone has seen this type of message. It appears that
> someone is connecting to our SMTP relay using protocol "0". The Cisco
> PIX sees it as a Invalid protocol. Snort hasn't seen anything of this
> sort (I did a search through the logs).
>
> Is there a rule for this type of message?
>
> 2003-08-01 01:31:10 Local4.Warning 192.168.XXX.XXX %PIX-4-500004:
> Invalid transport field for protocol=6, from XXX.XXX.XXX.XXX/0 to
> XXX.XXX.XXX.XXX/25

Protocol 6 is TCP, is it complaining about the source port of zero?
I have seen several machines scanning our netblock for SMTP servers in 
the exact same manner (source port=0, dest port=25).

Jeff



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users