RE: Port 0 packets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did install snort but the box has been rebuilt since, ISA is what is running on it at the moment. So if snort can have problems no doubt ISA will :)
They're quiet irritating as there's nothing I can find in packet captures that's causing them to come in :S

Stu

• -----Original Message----- From: Toby Miller [mailto:toby_miller@adelphia.net] Sent: 26 July 2003 02:18 To: Dave Paris; Russell Fulton Cc: Stuart; incidents@securityfocus.com Subject: RE: Port 0 packets
• -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

We have been seeing these port 0 packets since we installed snort-2.0.0. At first we thought we had been missing something but further investigation revealed that snort was not reading the packets correctly.

                                                                                Toby

• - -----Original Message----- From: Dave Paris [mailto:dparis@w3works.com] Sent: Thursday, July 24, 2003 4:05 PM To: Russell Fulton Cc: Stuart; incidents@securityfocus.com Subject: Re: Port 0 packets

Our IDS spotted another TCP port 0 packet at 19:59pm UTC today (Thursday). Headers follow:

[**] (snort_decoder): T/TCP Detected [**] 07/24-19:59:51.308749 216.136.173.246:0 -> xxx.xxx.xxx.xxx:0 TCP TTL:55 TOS:0x0 ID:41202 IpLen:20 DgmLen:68 DF ******S* Seq: 0x73C13DA0 Ack: 0x0 Win: 0xFFFF TcpLen: 48 TCP Options (9) => MSS: 1460 NOP WS: 1 NOP NOP TS: 15026415 0 TCP Options => NOP NOP CCNEW: 248555

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Kind Regards,
- - -dsp

On Wednesday, Jul 23, 2003, at 16:38 US/Eastern, Russell Fulton wrote:

> On Wed, 2003-07-23 at 12:28, Stuart wrote:

>> Hi,
>>
>> After currently reviewing firewall logs from ISA server I have
>> come across a period of where the box was hit with an aprox.
>> average of 3   - 4
>> packets per 5 minute period for 8 hours.
>

>

>

>

>

>

>
>

> --------------------------------------------------------------------

> ---  ----

> --------------------------------------------------------------------

>
>
>


- - ----------------------------------------------------------------------
- - -----
- - ----------------------------------------------------------------------

• -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPyHWqlLhpjRJgUE5EQJl2gCeMzDWRpvuOB7k1855faVlicb6ANsAoJqd sO7AIH2qCN6SN7RN/+lbvXwz
=7MW9
- -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQIVAwUBPyHY0pMRMj30dWmZAQJysQ//U8MjzNQcnn0xVL33ku7XmzcfUZLZ0asI rK8u9CVO0zxtOL69h3Cu+BNx/S3U+15PTcSgW4UwvY2mUrAwdr/GfnLOee5USN2p 5Zq7O4Od61P4LRnpikTtpU+RpBO97OTNqeBnf5xwJxATQZwUVxEM+9YrntN9pa1Z L8B7zus6tFyFchxU4jnMR4NJuifSsORqeRwSCmj9ppPYg6/0c28bBqtGxk1cHe/m utT0ozqi94dW1rrgXvuZX/+eGu1hfQyA/GSPgYsnSwodgvjy+9utU5X61ryg1Q5H MS0skdaw8c7xS/PvH7ggaLXgiaGcnXJzoE5+/EZmTEhIGmKZIKObGfQhyHk0U8La wjYziZ5uo0W4tRS2fiLE9LNZH4Vnq1Dowj2lea2PYSnVTAn6CHEUpGQz5CDzvwtz 7PJSXoV7EUrybGqnedtJbd5l7FzRh565OOAZr5Jg+lSmW2NzXbdgyFOXbKDeqM0R W/LR6rXga1DXuwX1KbWfSp14Xuai1rxUXRzb9RDQv/JZGy+6SQ5K60Ls/aK0aBTw T8KgdcwEd7GgGRTCXC1PBzjDV2rx1L+m4sRhZ/WjENQXX+ezdMhnm/F8NgaFXpyH W9TyFFaJDWioVMQkEN+P3ZFWYl0aoLkyg0J9UF2wY4UOvoWOzQWWOzuUEU4O54l1 16kcsq2ABU0=
=jVYJ
-----END PGP SIGNATURE-----