Snort mailing list archives
RE: Re: [Snort-sigs] Scan on tcp 13000
From: "Miller, Eoin" <Miller () fhlb-of com>
Date: Tue, 18 Feb 2003 16:11:09 -0500
http://isc.incidents.org/port_details.html?port=13000 seems to have been hitting hard in the last 2 days, im pretty sure incidents.org will have a blurb about this in a weeks time.
-----Original Message----- From: Drew Stockman [mailto:Drew.Stockman () cibmis com] Sent: Tuesday, February 18, 2003 3:17 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I too am seeing this type of traffic. I am seeing it coming from 128.83.166.35 and sweeping across one of my IP ranges. This IP resolves to the University of Texas at Austin. Seems t be coming out of the universities, but does anyone know what it is yet? Drew Stockman Security Analyst CIBMIS - -----Original Message----- From: Alex Polevoy [mailto:aspolevoy () shiloh com] Sent: Tuesday, February 18, 2003 1:06 PM To: Snort-users () lists sourceforge net; EveristB () naswi navy mil Subject: RE: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000 My IDS registered same alerts at 21:53 2003-02-17."Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil> 02/18/0301:11pm >>> same here, 149 alerts, same host, same alert. 149 destinations, first/ last: 2003-02-17 13:58:06 2003-02-17 13:58:07 - -----Original Message----- From: Jeff Kell [mailto:jeff-kell () utc edu] Sent: Monday, February 17, 2003 10:57 PM To: Michael Scheidell Cc: Bob Dehnhardt; 'Snort Users List'; baldwinl () mynetwatchman com Subject: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000 Michael Scheidell wrote:Has anyone else seen any tcp scans with both source anddestination ports of13000, SYN flag set, and a sequence ID of 674711609?Yep, coming out of columbia.edu.I had 1702 hits in one tarpit, let me see if they're still stuck... nope, but they should have been reported to DShield... yes! source port = 13000, dest port = 13000 Source: 128.59.52.11 = mrl-sgi.mech.columbia.edu Ended about 21:59 (UTC? Not sure what DShield reports) Jeff - ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPlKU1DK/qMtUmsxZEQL17gCgzWi/v93DL81LxclMD2x9VHnjkdsAmgLA 45t0K3Vy/JmyJGQs0t4nvgEA =MT2n -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: [Snort-sigs] Scan on tcp 13000 Scheidell (Feb 18)
- <Possible follow-ups>
- RE: Re: [Snort-sigs] Scan on tcp 13000 Everist, Benjamin S. (NASWI) (Feb 18)
- RE: Re: [Snort-sigs] Scan on tcp 13000 Alex Polevoy (Feb 18)
- RE: Re: [Snort-sigs] Scan on tcp 13000 Drew Stockman (Feb 18)
- RE: Re: [Snort-sigs] Scan on tcp 13000 Miller, Eoin (Feb 18)
- RE: Re: [Snort-sigs] Scan on tcp 13000 twig les (Feb 18)