Snort mailing list archives

RE: Nmap

From: MH <procana () insight rr com>
Date: Mon, 17 Nov 2003 12:39:56 -0500

Hi Gerson,

The reason the alert fired was because the ack flag
was set and the ack field value was 0. 
As far as the source port being set to 80, this
in conjuction with the ack flag used to confuse
some firewalls.  
The rational was that if internal traffic was allowed
to access external web sites and the firewall didn't
maintain state, this traffic could slip into the internal
network.  Almost all *modern* firewalls maintain state
and this traffic is blocked.  Also, the 0 ack number 
with the ack flag set really makes it stick out.

Hope this helps,
Mike


-------------------------------------------------------
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Nmap Gerson Sampaio (Nov 14)
- Re: Nmap Matt Kettler (Nov 14)
  - Re: Nmap Mark Fagan (Nov 15)
    - Re: Nmap Matt Kettler (Nov 18)
    - Re: Nmap Mark Fagan (Nov 19)
    - Re: Nmap Matt Kettler (Nov 19)
- <Possible follow-ups>
- RE: Nmap Esler, Joel - Contractor (Nov 17)
- RE: Nmap MH (Nov 17)
- RE: Nmap bmcdowell (Nov 19)
  - Message not available
    - RE: Nmap Matt Kettler (Nov 19)
- RE: Nmap Marc Quibell (Nov 20)