hrmm.. interesting. There have only been four of these triggered so far, and SMTP traffic has been flowing continually without any other false positives or other anomolies. Sounds like it's time to fire up Ethereal and do a little closer inspection. Thanks for the heads-up. -dsp On Friday, Jul 25, 2003, at 14:18 US/Eastern, Andreas Östling wrote: > > On Thu, 24 Jul 2003, Dave Paris wrote: > >> Our IDS spotted another TCP port 0 packet at 19:59pm UTC today >> (Thursday). Headers follow: >> >> [**] (snort_decoder): T/TCP Detected [**] >> 07/24-19:59:51.308749 216.136.173.246:0 -> xxx.xxx.xxx.xxx:0 > > In case you don't know, snort has a bug (or had - I don't know if it > has > been fixed now) that would make those alerts generated by the snort > decoder to always have the ports set to 0 since those values weren't > yet > assigned at that stage. > See http://marc.theaimsgroup.com/?l=snort-devel&m=105698697005259&w=2 > > /Andreas > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Jul 27 2003 - 11:17:08 PDT