Snort mailing list archives

Previous By Date Next
Previous By Thread Next

What is the significance of this log file ?

From: Jon Naumann <Jon.Naumann () dynetics com>
Date: Thu, 20 Sep 2001 06:49:11 -0500
Greetings from a newbie....

I have been seeing quite a bit of traffic similar to below from my
internal hosts going out.  I have seen some traffic where the source
port increments with each additional target that leads me to believe
that a port scan is in progress.  I am not understanding the
significance of the source port not changing.  I haven't been able to
turn up anything about UDP port 1227 in any lis of trojans nor in the
IANA/RFC's defining what should be on that port.

Can anyone shed some light ?

02:58:45 xx.xx.201.42:1227 -> 63.57.15.70:2619 UDP
02:58:45 xx.xx.201.42:1227 -> 165.247.89.101:1157 UDP
02:58:45 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP
02:58:46 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:58:45 xx.xx.201.42:1227 -> 149.159.62.152:2254 UDP
02:58:48 xx.xx.201.42:1227 -> 165.247.89.101:1157 UDP
02:58:48 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:58:47 xx.xx.201.42:1227 -> 63.57.15.70:2619 UDP
02:58:48 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP
02:58:48 xx.xx.201.42:1227 -> 149.159.62.152:2254 UDP
02:58:51 xx.xx.201.42:1227 -> 165.247.89.101:1157 UDP
02:58:51 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP
02:58:50 xx.xx.201.42:1227 -> 149.159.62.152:2254 UDP
02:58:51 xx.xx.201.42:1227 -> 63.57.15.70:2619 UDP
02:58:51 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:58:54 xx.xx.201.42:1227 -> 63.57.15.70:2619 UDP
02:58:54 xx.xx.201.42:1227 -> 165.247.89.101:1157 UDP
02:58:54 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP
02:58:54 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:58:54 xx.xx.201.42:1227 -> 149.159.62.152:2254 UDP
02:58:57 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:58:57 xx.xx.201.42:1227 -> 63.57.15.70:2619 UDP
02:58:57 xx.xx.201.42:1227 -> 165.247.89.101:1157 UDP
02:58:57 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP
02:58:57 xx.xx.201.42:1227 -> 149.159.62.152:2254 UDP
02:59:00 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:59:00 xx.xx.201.42:1227 -> 63.57.15.70:2619 UDP
02:59:00 xx.xx.201.42:1227 -> 149.159.62.152:2254 UDP
02:59:00 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP
02:58:59 xx.xx.201.42:1227 -> 165.247.89.101:1157 UDP
02:59:03 xx.xx.201.42:1227 -> 63.57.15.70:2619 UDP
02:59:03 xx.xx.201.42:1227 -> 149.159.62.152:2254 UDP
02:59:03 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:59:03 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP
02:59:01 xx.xx.201.42:2346 -> 194.251.249.103:27243 UDP
02:59:02 xx.xx.201.42:1227 -> 165.247.89.101:1157 UDP
02:59:06 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:59:06 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP

Thanks in advance,

Jon Naumann


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: