Snort mailing list archives
Strange alert
From: Ralf Hildebrandt <Ralf.Hildebrandt () innominate com>
Date: Wed, 15 Aug 2001 10:13:27 +0200
What I got yestarday was this:
Aug 14 19:29:40 john kernel: Packet log: input - tr0 PROTO=6 213.26.33.201:21 195.243.106.23:21 L=40 S=0x00 I=39426
F=0x0000 T=29 SYN (#119)
Aug 14 19:29:40 john snort: spp_portscan: PORTSCAN DETECTED from 213.26.33.201 (STEALTH)
Aug 14 19:29:40 john snort: [1:624:1] SCAN SYN FIN [Classification: Attempted Information Leak] [Priority: 3]: {TCP}
213.26.33.201:21 -> 195.243.106.18:21
Aug 14 19:29:40 john snort: [1:624:1] SCAN SYN FIN [Classification: Attempted Information Leak] [Priority: 3]: {TCP}
213.26.33.201:21 -> 195.243.106.23:21
Aug 14 19:29:40 john snort: [1:624:1] SCAN SYN FIN [Classification: Attempted Information Leak] [Priority: 3]: {TCP}
213.26.33.201:21 -> 195.243.106.25:21
Aug 14 19:29:40 john snort: [1:527:1] MISC same SRC/DST [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP}
0.0.0.0:21 -> 0.0.0.0:0
OK, it's a portscan from 213.26.33.201, but where does that 0.0.0.0:21
-> 0.0.0.0:0 packet come from?
--
Ralf.Hildebrandt () innominate com innominate AG
+49.(0)30.308806-62 fax: -77 networking people
I've seen things you people wouldn't believe. Attack ships on fire off
the shoulder of Orion. I watched C-beams glitter in the dark near the
Tannhauser gate. All those moments will be lost in time, like tears in
rain. Time to die. -- Roy Batty, Blade Runner
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange alert Ralf Hildebrandt (Aug 15)
- <Possible follow-ups>
- strange alert Dushyanth Harinath (Sep 27)