Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] odd rule behaviour ???

from [Frank Knobbe] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] odd rule behaviour ???
Date: Mon, 28 Nov 2005 17:24:49 -0600 
On Tue, 2005-11-29 at 11:04 +1300, Russell Fulton wrote:

Recently I started getting lots of hits on this rule (60,000 a day) and
I decided to add something to the threshold file to keep the noise down.
Then I noticed that the traffic that is triggering the rule has a
*source* port of zero, not a destination port of zero.  Now I'm sorely
puzzled - some one please tell me there is a straight forward
explanation and that I'm an idiot :)


Looks like someone's spam spewing engine (manually crafted packets
inserted on the wire, incl spoofed sources addresses) went bad. This
could be bad/clueless coding of the packet insertion routine, or perhaps
host-based software (firewall/IPS) or network based stiff (firewall)
mangling the packet while leaving the bot infected spam spewer.

I'm surprised you are still looking at UDP/1025 packets... ;)

Cheers,
Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] odd rule behaviour ???, Russell Fulton
Next by Date:  Re: [Snort-sigs] odd rule behaviour ???, Patrick Walsh
Previous by Thread:  [Snort-sigs] odd rule behaviour ???, Russell Fulton
Next by Thread:  Re: [Snort-sigs] odd rule behaviour ???, Patrick Walsh
Indexes:  [Date] [Thread] [Top] [All Lists]