Snort mailing list archives
RE: Nmap
From: MH <procana () insight rr com>
Date: Mon, 17 Nov 2003 12:39:56 -0500
Hi Gerson, The reason the alert fired was because the ack flag was set and the ack field value was 0. As far as the source port being set to 80, this in conjuction with the ack flag used to confuse some firewalls. The rational was that if internal traffic was allowed to access external web sites and the firewall didn't maintain state, this traffic could slip into the internal network. Almost all *modern* firewalls maintain state and this traffic is blocked. Also, the 0 ack number with the ack flag set really makes it stick out. Hope this helps, Mike ------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nmap Gerson Sampaio (Nov 14)
- <Possible follow-ups>
- RE: Nmap Esler, Joel - Contractor (Nov 17)
- RE: Nmap MH (Nov 17)
- RE: Nmap bmcdowell (Nov 19)
- Message not available
- RE: Nmap Matt Kettler (Nov 19)
- Message not available