Snort mailing list archives
Re: Nmap
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 18 Nov 2003 11:52:11 -0500
At 06:13 AM 11/15/2003, Mark Fagan wrote:
I dont fully agree here. Unless your using an antique firewall its not possible to allow traffic based on source port.
To my knowledge every version of IPChains, IPTables, openbsd PF, BSD IPF, Cisco PIX, and Cisco IOS has some form of rule which you can add to force allow traffic to pass the firewall based only on source port.
Not that it's a good idea.. but I challenge your assertion that it's not possible on a modern firewall... In fact, I'd be surprised if _any_ major firewalls would flat out refuse such a rule if manually configured to do so.. Maybe some of the more paranoid ones such as the Secure Computing Sidewinder G2 might refuse such things, but certainly there are a large number of major firewalls that will accept such things.
Also anyone who (where possible) allows traffic based on source port needs their heads examined.
I agree.. that's why I referred to said admins as incompetent. Yes, they do need their heads examined, but there really are admins out there that know absolutely nothing about TCP/IP that are administering firewalls. It's very common for a small company to have a single MCSE guy on staff to run their Windows NT/2k/2003 file servers who is also responsible (by default) for running the firewall..
Not all MCSE's know TCP/IP, and the ones that don't are just going to make up some arbitrary bypass rules to "make it work" without understanding what's going on. This really does happen, and hackers do know it, and do try to take advantage of it.
The source port seems spoofed in this example, however B2B applications I haveseen previously can use same source as dest port for communication, so dont panic until you actually investigate the source.
In this case it's not the same src/dest port pairing.. it's TCP traffic from a HTTP port to a DNS port.. That traffic pattern is VERY suspect.
Sure it's possible that some crack smoking Windows programmer decided that DNS queries should be done using port 80 as a source, and be done using TCP instead of UDP.. but that's not very likely.
------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nmap Gerson Sampaio (Nov 14)
- <Possible follow-ups>
- RE: Nmap Esler, Joel - Contractor (Nov 17)
- RE: Nmap MH (Nov 17)
- RE: Nmap bmcdowell (Nov 19)
- Message not available
- RE: Nmap Matt Kettler (Nov 19)
- Message not available