Snort mailing list archives
Re: Nmap
From: Mark Fagan <r00t () online ie>
Date: Sat, 15 Nov 2003 11:13:55 +0000
I dont fully agree here. Unless your using an antique firewall its not possible to allow traffic based on source port. Also anyone who (where possible) allows traffic based on source port needs their heads examined. The source port seems spoofed in this example, however B2B applications I have seen previously can use same source as dest port for communication, so dont panic until you actually investigate the source. Cheers Mark Quoting Matt Kettler <mkettler () evi-inc com>:
At 08:19 AM 11/14/2003, Gerson Sampaio wrote:Hi List, i received this alert and i'd like to know why the source is using port 80. Is this forged ? 11/13-17:26:42.075512 [**] [1:628:2] SCAN nmap TCP [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} x.x.x.x:80 -> y.y.y.y:53No, it's very common for people doing network scans to use port 80 as a source port in order to bypass very poorly configured firewalls. Some incompetent admins just do an absolute pass of any tcp from port 80, without regards for destination port, flags, or state... Even a stateless packet filter can be made to at least require an ack-bit to be set and require the dest port to be >= 1024. ------------------------------------------------------- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nmap Gerson Sampaio (Nov 14)
- <Possible follow-ups>
- RE: Nmap Esler, Joel - Contractor (Nov 17)
- RE: Nmap MH (Nov 17)
- RE: Nmap bmcdowell (Nov 19)
- Message not available
- RE: Nmap Matt Kettler (Nov 19)
- Message not available