Snort mailing list archives
RE: Port 10008/tcp ?
From: "Tudor Panaitescu" <tpanaitescu () colorcon com>
Date: Tue, 15 May 2001 14:04:32 -0400
No typo. Please check the link below, down the page, Lion v3: http://www.whitehats.com/library/worms/lion/index.html (Thanks to H D Moore <hdm () secureaustin com>). By the way it is not in the ports database, it is not in the rules either, not in the vision.rules. Just in case, quick and dirty, based on the analisys on whitehats.com I added to my local.rules: alert tcp $EXTERNAL_NET any -> $HOME_NET 1008 (msg: "Lion v1/2 trojan access attempted";) alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg: "Lion v1 trojan access attempted";) alert tcp $EXTERNAL_NET any -> $HOME_NET 33567 (msg: "Lion v1 trojan access attempted";) alert tcp $EXTERNAL_NET any -> $HOME_NET 33568 (msg: "Lion v1 trojan access attempted";) alert tcp $EXTERNAL_NET any -> $HOME_NET 60008 (msg: "Lion v1 trojan access attempted";) alert tcp $EXTERNAL_NET any -> $HOME_NET 10008 (msg: "Lion v3 trojan access attempted";) alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "Lion v3 trojan access attempted";) Any comments on these rules are welcome... ;-) All the best, Tudor "Bunter, Matthew" <Matthew.Bunter () cwcom cwplc com> on 05/15/2001 12:25:32 PM To: snort-users () lists sourceforge net cc: (bcc: Tudor Panaitescu/ColorconUS) Subject: RE: [Snort-users] Port 10008/tcp ? Just in case you did a typo (not accusing you or anything) 10007 is for mvs capacity and 10080 is for something called amanda Nothing for 10007 Matt
-----Original Message----- From: Tudor Panaitescu [SMTP:tpanaitescu () colorcon com] Sent: 15 May 2001 16:46 To: snort-users () lists sourceforge net Subject: [Snort-users] Port 10008/tcp ? Hello everyone ! Does anybody know what is this port, 10008/tcp for ? I've got some attempts, allways 2 at a time from the same source address. TIA, Tudor _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
********************************************************************** This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. ********************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Port 10008/tcp ? Tudor Panaitescu (May 15)
- Re: Port 10008/tcp ? H D Moore (May 15)
- <Possible follow-ups>
- RE: Port 10008/tcp ? Stacey Conrad (May 15)
- Re: Port 10008/tcp ? Neil Dickey (May 15)
- Re: Port 10008/tcp ? Edwin Chiu (May 15)
- RE: Port 10008/tcp ? Bunter, Matthew (May 15)
- RE: Port 10008/tcp ? Jason Lewis (May 15)
- RE: Port 10008/tcp ? Tudor Panaitescu (May 15)
- RE: Port 10008/tcp ? Tudor Panaitescu (May 15)
- RE: Port 10008/tcp ? Bunter, Matthew (May 22)