[Dshield] Source port zero...

J Lake jlake at knoxcounty.midcoast.com
Wed Dec 7 15:19:15 GMT 2005

On Tuesday 06 December 2005 05:12 pm, Freek de Kruijf wrote:
> I receive these packages also and analysed a number of these packets. They
> are not fragmented packets, but MS Messenger packets with some
> advertisement for "security" software :-(.
> --
> fr.gr.
> Freek

Yes thank you, you are right. The reply I mentioned was not from this list but
from the bleeding snort list. Here is the post I was thinking of:

>Monday, November 14 2005 @ 02:57 PM EST  	
>Afternoon all,

>I recently went inline with snort at home (yaay) and noticed some spammers 
>sending winpopup spam source port 0; which caused Snort to flag it as bad 
>traffic. I went digging for existing snort rules that detect this winpopup 
>abuse, and couldn't find any. My thought is since this is spam, I should be 
>dropping it anyway :)

My mistake!

More information about the list mailing list