Snort mailing list archives
p2p scans showing up as SCAN FIN and SCAN NMAP ??
From: "John York" <YorkJ () brcc edu>
Date: Wed, 12 Nov 2003 09:10:40 -0500
Lately I've been getting a couple thousand hits a day on SCAN FIN and some on SCAN NMAP. They usually come in blocks of 4, and the port numbers seem to indicate gnutella. Are these coming from gnutella clients? Thanks John 11/12-02:39:31.268287 SCAN FIN TCP 213.58.88.126 51494 x.x.x.195 16623 11/12-02:39:31.268279 SCAN FIN TCP 213.58.88.126 51494 x.x.x.195 16623 11/12-02:39:31.274337 SCAN FIN TCP 213.58.88.126 51494 x.x.x.195 16623 11/12-02:39:31.274343 SCAN FIN TCP 213.58.88.126 51494 x.x.x.195 16623 11/12-02:40:00.862726 SCAN FIN TCP 24.193.12.18 60281 x.x.x.195 16623 11/12-02:40:00.862718 SCAN FIN TCP 24.193.12.18 60281 x.x.x.195 16623 11/12-02:40:00.866999 SCAN FIN TCP 24.193.12.18 60281 x.x.x.195 16623 11/12-02:40:00.867007 SCAN FIN TCP 24.193.12.18 60281 x.x.x.195 16623 11/12-02:42:59.535692 SCAN FIN TCP 64.65.91.19 4498 x.x.x.47 6346 11/12-02:42:59.539795 SCAN FIN TCP 64.65.91.19 4498 x.x.x.47 6346 11/12-02:45:47.461893 SCAN FIN TCP 128.172.210.139 50212 x.x.x.193 13547 11/12-02:45:47.461885 SCAN FIN TCP 128.172.210.139 50212 x.x.x.193 13547 11/12-02:46:08.314505 SCAN FIN TCP 67.68.47.192 33449 x.x.x.49 6346 11/12-02:47:37.653656 SCAN FIN TCP 134.126.203.25 56027 x.x.x.31 6346 11/12-02:48:55.756787 SCAN FIN TCP 209.208.227.71 62766 x.x.x.31 6346 11/12-02:53:45.302211 SCAN FIN TCP 67.50.233.248 58345 x.x.x.31 6346 11/12-02:53:45.302521 SCAN FIN TCP 67.50.233.248 58345 x.x.x.31 6346 11/12-02:53:46.745392 SCAN FIN TCP 66.91.19.13 53289 x.x.x.176 6346 11/12-02:53:46.745461 SCAN FIN TCP 66.91.19.13 53289 x.x.x.176 6346 11/12-02:53:46.745383 SCAN FIN TCP 66.91.19.13 53289 x.x.x.176 6346 11/12-02:53:46.745453 SCAN FIN TCP 66.91.19.13 53289 x.x.x.176 6346 11/12-02:43:51.881522 SCAN nmap TCP TCP 64.119.138.2 80 x.x.x.176 6346 11/12-05:34:57.133148 SCAN nmap TCP TCP 64.119.138.2 80 x.x.x.176 6346 11/12-05:34:57.133155 SCAN nmap TCP TCP 64.119.138.2 80 x.x.x.176 6346 11/12-05:35:02.151291 SCAN nmap TCP TCP 64.119.138.2 80 x.x.x.176 6346 11/12-05:35:02.151284 SCAN nmap TCP TCP 64.119.138.2 80 x.x.x.176 6346 11/12-05:35:07.339134 SCAN nmap TCP TCP 209.6.58.139 80 x.x.x.176 6346 11/12-05:35:07.339128 SCAN nmap TCP TCP 209.6.58.139 80 x.x.x.176 6346 11/12-05:35:12.787599 SCAN nmap TCP TCP 209.6.58.139 80 x.x.x.176 6346 11/12-05:35:12.787607 SCAN nmap TCP TCP 209.6.58.139 80 x.x.x.176 6346 John York Network Engineer Blue Ridge Community College 1 College Lane, Weyers Cave, VA 24486 540.453.2255 ------------------------------------------------------- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- p2p scans showing up as SCAN FIN and SCAN NMAP ?? John York (Nov 12)