Re: Port 0 packets

From: Andreas Östling (andreasoat_private)
Date: Fri Jul 25 2003 - 11:18:38 PDT

Next message: sa7ori: "Re: New worm in Japan?"

Previous message: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
In reply to: Dave Paris: "Re: Port 0 packets"
Next in thread: Dave Paris: "Re: Port 0 packets"
Next in thread: Dave Paris: "Re: Port 0 packets"
Reply: Dave Paris: "Re: Port 0 packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 24 Jul 2003, Dave Paris wrote:

> Our IDS spotted another TCP port 0 packet at 19:59pm UTC today
> (Thursday).  Headers follow:
>
> [**] (snort_decoder): T/TCP Detected [**]
> 07/24-19:59:51.308749 216.136.173.246:0 -> xxx.xxx.xxx.xxx:0

In case you don't know, snort has a bug (or had - I don't know if it has
been fixed now) that would make those alerts generated by the snort
decoder to always have the ports set to 0 since those values weren't yet
assigned at that stage.
See http://marc.theaimsgroup.com/?l=snort-devel&m=105698697005259&w=2

/Andreas

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: sa7ori: "Re: New worm in Japan?"
Previous message: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
In reply to: Dave Paris: "Re: Port 0 packets"
Next in thread: Dave Paris: "Re: Port 0 packets"
Next in thread: Dave Paris: "Re: Port 0 packets"
Reply: Dave Paris: "Re: Port 0 packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jul 27 2003 - 11:13:18 PDT