Snort mailing list archives

Previous By Date Next
Previous By Thread Next

17203 portscan alerts in 23 hours from same IP

From: Jon Quiros <sysadmin () ncemch org>
Date: 10 Jul 2002 11:48:59 -0400
Snort 1.8.6 (Build 105) to MySQL on darwin- using ACID.


I've gotten used to seeing portscans lasting from a few seconds to a few minutes, and from *transient* IP's unlike 
192.193.195.132 (one of citigroup's web servers, compromised?).
All activity is from port 80 and looks like it's scanning several ports between 1951 and 2014, over and over again.  I 
know the person on the scanned machine uses yahoo me$$@#%r on occasion but I'd never seen this raised before.  so if 
this is not a false positive would it look like more of a targetted scan?

I'm guessing this might be something to NOT be concerned with, but I'd like to learn more about it so if you can share 
some info or insight about it that'' help me see the larger picture I'd appreciate and benefit from it.

Thank you!
Jon Q

part of portscan.log
=====
Jul  9 10:09:48 192.193.195.132:80 -> one.of.my.users:1951 INVALIDACK ***A*R*F 
Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1955 INVALIDACK ***A*R*F 
Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1956 INVALIDACK ***A*R*F 
Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1959 INVALIDACK ***A*R*F 
Jul  9 10:11:24 192.193.195.132:80 -> one.of.my.users:1973 INVALIDACK ***A*R*F 
Jul  9 10:11:25 192.193.195.132:80 -> one.of.my.users:1975 INVALIDACK ***A*R*F 
Jul  9 10:11:27 192.193.195.132:80 -> one.of.my.users:1976 INVALIDACK ***A*R*F 
Jul  9 10:11:27 192.193.195.132:80 -> one.of.my.users:1978 INVALIDACK ***A*R*F 
Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1982 INVALIDACK ***A*R*F 
Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1980 INVALIDACK ***A*R*F 
Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1983 INVALIDACK ***A*R*F 
Jul  9 10:11:29 192.193.195.132:80 -> one.of.my.users:1984 INVALIDACK ***A*R*F 
Jul  9 10:11:29 192.193.195.132:80 -> one.of.my.users:1985 INVALIDACK ***A*R*F 
Jul  9 10:11:30 192.193.195.132:80 -> one.of.my.users:1987 INVALIDACK ***A*R*F 
Jul  9 10:11:30 192.193.195.132:80 -> one.of.my.users:1986 INVALIDACK ***A*R*F 
Jul  9 10:11:32 192.193.195.132:80 -> one.of.my.users:1988 INVALIDACK ***A*R*F 
Jul  9 10:11:32 192.193.195.132:80 -> one.of.my.users:1991 INVALIDACK ***A*R*F 
Jul  9 10:11:34 192.193.195.132:80 -> one.of.my.users:1994 INVALIDACK ***A*R*F 
Jul  9 10:11:35 192.193.195.132:80 -> one.of.my.users:1997 INVALIDACK ***A*R*F 
Jul  9 10:11:35 192.193.195.132:80 -> one.of.my.users:1998 INVALIDACK ***A*R*F 
Jul  9 10:11:38 192.193.195.132:80 -> one.of.my.users:1999 INVALIDACK ***A*R*F 
Jul  9 10:11:38 192.193.195.132:80 -> one.of.my.users:2000 INVALIDACK ***A*R*F 
Jul  9 10:11:40 192.193.195.132:80 -> one.of.my.users:2002 INVALIDACK ***A*R*F 
Jul  9 10:11:43 192.193.195.132:80 -> one.of.my.users:2011 INVALIDACK ***A*R*F 
Jul  9 10:11:43 192.193.195.132:80 -> one.of.my.users:2012 INVALIDACK ***A*R*F 
Jul  9 10:11:44 192.193.195.132:80 -> one.of.my.users:2014 INVALIDACK ***A*R*F 
Jul  9 10:11:44 192.193.195.132:80 -> one.of.my.users:1951 INVALIDACK ***A*R*F 
Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1955 INVALIDACK ***A*R*F 
Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1956 INVALIDACK ***A*R*F 
Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1959 INVALIDACK ***A*R*F 
Jul  9 10:13:20 192.193.195.132:80 -> one.of.my.users:1973 INVALIDACK ***A*R*F 
Jul  9 10:13:21 192.193.195.132:80 -> one.of.my.users:1975 INVALIDACK ***A*R*F 
Jul  9 10:13:23 192.193.195.132:80 -> one.of.my.users:1976 INVALIDACK ***A*R*F 
Jul  9 10:13:23 192.193.195.132:80 -> one.of.my.users:1978 INVALIDACK ***A*R*F 
Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1980 INVALIDACK ***A*R*F 
Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1982 INVALIDACK ***A*R*F 
Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1983 INVALIDACK ***A*R*F 
Jul  9 10:13:25 192.193.195.132:80 -> one.of.my.users:1984 INVALIDACK ***A*R*F 
Jul  9 10:13:25 192.193.195.132:80 -> one.of.my.users:1985 INVALIDACK ***A*R*F 
Jul  9 10:13:26 192.193.195.132:80 -> one.of.my.users:1987 INVALIDACK ***A*R*F 
Jul  9 10:13:26 192.193.195.132:80 -> one.of.my.users:1986 INVALIDACK ***A*R*F 
Jul  9 10:13:28 192.193.195.132:80 -> one.of.my.users:1988 INVALIDACK ***A*R*F 
Jul  9 10:13:28 192.193.195.132:80 -> one.of.my.users:1991 INVALIDACK ***A*R*F 
Jul  9 10:13:30 192.193.195.132:80 -> one.of.my.users:1994 INVALIDACK ***A*R*F 
Jul  9 10:13:31 192.193.195.132:80 -> one.of.my.users:1997 INVALIDACK ***A*R*F 
Jul  9 10:13:31 192.193.195.132:80 -> one.of.my.users:1998 INVALIDACK ***A*R*F 
Jul  9 10:13:34 192.193.195.132:80 -> one.of.my.users:1999 INVALIDACK ***A*R*F 
Jul  9 10:13:34 192.193.195.132:80 -> one.of.my.users:2000 INVALIDACK ***A*R*F 
Jul  9 10:13:36 192.193.195.132:80 -> one.of.my.users:2002 INVALIDACK ***A*R*F 
Jul  9 10:13:39 192.193.195.132:80 -> one.of.my.users:2011 INVALIDACK ***A*R*F 
Jul  9 10:13:39 192.193.195.132:80 -> one.of.my.users:2012 INVALIDACK ***A*R*F 
Jul  9 10:13:40 192.193.195.132:80 -> one.of.my.users:2014 INVALIDACK ***A*R*F 
=====




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Two, two, TWO treats in one.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: