Snort mailing list archives
Re: portscans from 255.255.255.255?
From: Gary Flynn <flynngn () jmu edu>
Date: Thu, 30 Jan 2003 16:19:54 -0500
twig les wrote:
Hey all, I have seriously debated whether I should send this since it may or may not be off-topic; it's just too bizarre to tell. My border routers are sysloging this: bdr-acl-in denied tcp 255.255.255.255(80) -> 1.1.156.194(8118)
They started here regularly on Jan 29 around 1500 EST. Someone in Poland recently posted to the Incidents list that they saw it start up on the same day. They're coming in every few seconds. Different hosts and high ports. Varying TTL and ACL numbers. I haven't found anything here going out that would cause it. 01/30-14:57:54.393807 255.255.255.255:80 -> InternalAddress:18128 TCP TTL:236 TOS:0x0 ID:24721 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x67E40001 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/30-14:57:54.576724 255.255.255.255:80 -> InternalAddress:29922 TCP TTL:238 TOS:0x0 ID:21195 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x4DAB0001 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/30-14:58:13.453737 255.255.255.255:80 -> InternalAddress:8685 TCP TTL:47 TOS:0x0 ID:27062 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x501A0015 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/30-14:58:19.938537 255.255.255.255:80 -> InternalAddress:28599 TCP TTL:239 TOS:0x0 ID:13989 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x51510001 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscans from 255.255.255.255? twig les (Jan 30)
- Re: portscans from 255.255.255.255? Sam Evans (Jan 30)
- Re: portscans from 255.255.255.255? Gary Flynn (Jan 30)
- Re: portscans from 255.255.255.255? Matt Kettler (Jan 30)
- <Possible follow-ups>
- RE: portscans from 255.255.255.255? larosa, vjay (Jan 30)