Re: Does anyone recognize this?

From: Daniel Martin (dtmartin24at_private)
Date: Wed Apr 18 2001 - 05:40:32 PDT

  • Next message: Alfred Huger: "Cark & snmpXdmid"

    Ryan Russell <ryanat_private> writes:
    
    > Why the strange port numbers if it was FTP?
    
    Not all ftp data connections are done to/from port 20, especially
    passive ftp connections.  Here's a netstat --inet snippet from my
    machine, using passive ftp to ftp.debian.org:
    
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp    17376      0 cc134321-a.burl1.n:1396 usw-sf-ftp1.source:2273 ESTABLISHED
    tcp        0      0 cc134321-a.burl1.n:1387 usw-sf-ftp1.sourcef:ftp ESTABLISHED
    
    The control connection is the second connection listed; the top data
    connection is, you'll notice, between two resonably arbitrary port
    numbers.
    
    Actually, thinking about this further, the original poster had the
    local port number very high - above 60,000 - which suggests to me a
    NATed connection.  So I'm going to refine my ftp guess to be that the
    machine which captured the snort log is a NAT gateway for a network of
    other machines, one of which was using passive ftp to pull down a
    RedHat ISO image (or stuff out of a RedHat source tree).  (I'll note
    in passing that passive FTP is the only type that internet explorer
    does, and that with many firewalls passive ftp is the only way ftp
    will work at all).
    



    This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 07:15:06 PDT