Snort mailing list archives
Re: Huge SYN Scan
From: Jim Forster <jforster () rapidnet com>
Date: Wed, 19 Dec 2001 09:14:20 -0700
It just started up last night, around 4pm MST from 10 different IP addresses. I firewalled them out and bound Snort to the outside interface just to watch. After the block, 7 of them quit probing us immediately. 1 probed 74 more times then quit. 1 probed 2300 times (exactly) then quit 1 is still probing, and did 34,000+ SYNs overnight. Just seemed odd that it all started up at once, and that once blocked, 7 of them quit. The other strange thing is that SYN scanning is all they were doing. Even when they were allowed into the network, none of them attempted any of the 'usual' IIS exploits these worms do. ---==On Wed, 19 Dec 2001 16:46:20 +0100, Roberto Suarez Soto wrote==---
On Dec/18, Jim Forster wrote:Anyone else seeing massive SYN scans to port 80 from all over the 'net?Effect of CodeRed/Nimda infected computers, I would say. There
are a
lot of them, though the "prime time" of the virus has passed :-)
-- Jim Forster, jforster () rapidnet com on 12/19/2001 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Huge SYN Scan Jim Forster (Dec 18)
- Re: Huge SYN Scan Roberto Suarez Soto (Dec 19)
- Re: Huge SYN Scan Jim Forster (Dec 19)
- Re: Huge SYN Scan Erik Fichtner (Dec 19)
- Re: Huge SYN Scan Roberto Suarez Soto (Dec 19)