Re: [Snort-users] Nmap
This is a discussion on Re: [Snort-users] Nmap within the Snort forums, part of the System Security and Security Related category; I dont fully agree here. Unless your using an antique firewall its not possible to allow traffic b= ased=20 ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-15-2003
|
|||
|
|||
Re: [Snort-users] Nmap
I dont fully agree here.
Unless your using an antique firewall its not possible to allow traffic b= ased=20 on source port. Also anyone who (where possible) allows traffic based on source port need= s=20 their heads examined. The source port seems spoofed in this example, however B2B applications I= have=20 seen previously can use same source as dest port for communication, so do= nt=20 panic until you actually investigate the source. Cheers Mark Quoting Matt Kettler <mkettler@evi-inc.com>: > At 08:19 AM 11/14/2003, Gerson Sampaio wrote: > >Hi List, > >i received this alert and i'd like to know why the > >source is using port 80. Is this forged ? > > > >11/13-17:26:42.075512 [**] [1:628:2] SCAN nmap TCP > >[**] [Classification: Attempted Information Leak] > >[Priority: 2] {TCP} x.x.x.x:80 -> y.y.y.y:53 >=20 > No, it's very common for people doing network scans to use port 80 as a= =20 > source port in order to bypass very poorly configured firewalls. >=20 > Some incompetent admins just do an absolute pass of any tcp from port 8= 0,=20 > without regards for destination port, flags, or state... Even a statele= ss=20 > packet filter can be made to at least require an ack-bit to be set and=20 > require the dest port to be >=3D 1024. >=20 >=20 >=20 >=20 > ------------------------------------------------------- > This SF.Net email sponsored by: ApacheCon 2003, > 16-19 November in Las Vegas. Learn firsthand the latest > developments in Apache, PHP, Perl, XML, Java, MySQL, > WebDAV, and more! http://www.apachecon.com/ > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...=3Dsnort-users >=20 ------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/...=mm/g22lp.tmpl _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
