Snort mailing list archives
Strange alert
From: Ralf Hildebrandt <Ralf.Hildebrandt () innominate com>
Date: Wed, 15 Aug 2001 10:13:27 +0200
What I got yestarday was this: Aug 14 19:29:40 john kernel: Packet log: input - tr0 PROTO=6 213.26.33.201:21 195.243.106.23:21 L=40 S=0x00 I=39426 F=0x0000 T=29 SYN (#119) Aug 14 19:29:40 john snort: spp_portscan: PORTSCAN DETECTED from 213.26.33.201 (STEALTH) Aug 14 19:29:40 john snort: [1:624:1] SCAN SYN FIN [Classification: Attempted Information Leak] [Priority: 3]: {TCP} 213.26.33.201:21 -> 195.243.106.18:21 Aug 14 19:29:40 john snort: [1:624:1] SCAN SYN FIN [Classification: Attempted Information Leak] [Priority: 3]: {TCP} 213.26.33.201:21 -> 195.243.106.23:21 Aug 14 19:29:40 john snort: [1:624:1] SCAN SYN FIN [Classification: Attempted Information Leak] [Priority: 3]: {TCP} 213.26.33.201:21 -> 195.243.106.25:21 Aug 14 19:29:40 john snort: [1:527:1] MISC same SRC/DST [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 0.0.0.0:21 -> 0.0.0.0:0 OK, it's a portscan from 213.26.33.201, but where does that 0.0.0.0:21 -> 0.0.0.0:0 packet come from? -- Ralf.Hildebrandt () innominate com innominate AG +49.(0)30.308806-62 fax: -77 networking people I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhauser gate. All those moments will be lost in time, like tears in rain. Time to die. -- Roy Batty, Blade Runner _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange alert Ralf Hildebrandt (Aug 15)
- <Possible follow-ups>
- strange alert Dushyanth Harinath (Sep 27)