[Dshield] Source port zero...
jlake at knoxcounty.midcoast.com
Wed Dec 7 15:19:15 GMT 2005
On Tuesday 06 December 2005 05:12 pm, Freek de Kruijf wrote:
> I receive these packages also and analysed a number of these packets. They
> are not fragmented packets, but MS Messenger packets with some
> advertisement for "security" software :-(.
Yes thank you, you are right. The reply I mentioned was not from this list but
from the bleeding snort list. Here is the post I was thinking of:
>Monday, November 14 2005 @ 02:57 PM EST
>I recently went inline with snort at home (yaay) and noticed some spammers
>sending winpopup spam source port 0; which caused Snort to flag it as bad
>traffic. I went digging for existing snort rules that detect this winpopup
>abuse, and couldn't find any. My thought is since this is spam, I should be
>dropping it anyway :)
More information about the list