Hosting Provided By

[Snort-devel] Snort 2.0 and T/TCP false alarm

From: Simon Hradecky <shradecky(at)nomissoft.com>
Date: Thu Jun 26 2003 - 10:48:59 EDT

Hiya,

I am using Snort 2.0.0 as released April 14th 2003. In addition to the normal rules I have added a rule logging _all_ traffic in tcpdump, as we are currently experiencing several attacks, which snort can't account for (OpenSSL attacks).

Today Snort alerted me of two encounters of T/TCP packets, seemingly originating from port 0 of sender IP going to port 0 of our server. When I then checked the tcpdump with ethereal, I was able to exactly identify the packet by its signature and all other details listed in the Alert, however both source and destination port were _NOT_ 0. It was actually a regular and perfectly normal communication to our smtp server. Let me know asap if you need alert and (excerpt) tcpdump file, as it will scroll off shortly.

Simon

This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Thu Jun 26 11:09:47 2003

This message: [ Message body ]
Next message: Daniel J. Roelker: "RE: [Snort-devel] Multirule inspection engine"
Previous message: Chris Green: "[Snort-devel] Re: Patch: exec option for starting programs triggered by rules"
Next in thread: Chris Green: "Re: [Snort-devel] Snort 2.0 and T/TCP false alarm"
Reply: Chris Green: "Re: [Snort-devel] Snort 2.0 and T/TCP false alarm"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:06 EDT