Ryan Russell <ryanat_private> writes: > Why the strange port numbers if it was FTP? Not all ftp data connections are done to/from port 20, especially passive ftp connections. Here's a netstat --inet snippet from my machine, using passive ftp to ftp.debian.org: Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 17376 0 cc134321-a.burl1.n:1396 usw-sf-ftp1.source:2273 ESTABLISHED tcp 0 0 cc134321-a.burl1.n:1387 usw-sf-ftp1.sourcef:ftp ESTABLISHED The control connection is the second connection listed; the top data connection is, you'll notice, between two resonably arbitrary port numbers. Actually, thinking about this further, the original poster had the local port number very high - above 60,000 - which suggests to me a NATed connection. So I'm going to refine my ftp guess to be that the machine which captured the snort log is a NAT gateway for a network of other machines, one of which was using passive ftp to pull down a RedHat ISO image (or stuff out of a RedHat source tree). (I'll note in passing that passive FTP is the only type that internet explorer does, and that with many firewalls passive ftp is the only way ftp will work at all).
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 07:15:06 PDT