Snort mailing list archives

p2p scans showing up as SCAN FIN and SCAN NMAP ??

From: "John York" <YorkJ () brcc edu>
Date: Wed, 12 Nov 2003 09:10:40 -0500
Lately I've been getting a couple thousand hits a day on SCAN FIN and
some on SCAN NMAP.  They usually come in blocks of 4, and the port
numbers seem to indicate gnutella.  Are these coming from gnutella
clients?
Thanks
John

11/12-02:39:31.268287   SCAN FIN        TCP     213.58.88.126   51494
x.x.x.195       16623
11/12-02:39:31.268279   SCAN FIN        TCP     213.58.88.126   51494
x.x.x.195       16623
11/12-02:39:31.274337   SCAN FIN        TCP     213.58.88.126   51494
x.x.x.195       16623
11/12-02:39:31.274343   SCAN FIN        TCP     213.58.88.126   51494
x.x.x.195       16623
11/12-02:40:00.862726   SCAN FIN        TCP     24.193.12.18    60281
x.x.x.195       16623
11/12-02:40:00.862718   SCAN FIN        TCP     24.193.12.18    60281
x.x.x.195       16623
11/12-02:40:00.866999   SCAN FIN        TCP     24.193.12.18    60281
x.x.x.195       16623
11/12-02:40:00.867007   SCAN FIN        TCP     24.193.12.18    60281
x.x.x.195       16623
11/12-02:42:59.535692   SCAN FIN        TCP     64.65.91.19     4498
x.x.x.47        6346
11/12-02:42:59.539795   SCAN FIN        TCP     64.65.91.19     4498
x.x.x.47        6346
11/12-02:45:47.461893   SCAN FIN        TCP     128.172.210.139 50212
x.x.x.193       13547
11/12-02:45:47.461885   SCAN FIN        TCP     128.172.210.139 50212
x.x.x.193       13547
11/12-02:46:08.314505   SCAN FIN        TCP     67.68.47.192    33449
x.x.x.49        6346
11/12-02:47:37.653656   SCAN FIN        TCP     134.126.203.25  56027
x.x.x.31        6346
11/12-02:48:55.756787   SCAN FIN        TCP     209.208.227.71  62766
x.x.x.31        6346
11/12-02:53:45.302211   SCAN FIN        TCP     67.50.233.248   58345
x.x.x.31        6346
11/12-02:53:45.302521   SCAN FIN        TCP     67.50.233.248   58345
x.x.x.31        6346
11/12-02:53:46.745392   SCAN FIN        TCP     66.91.19.13     53289
x.x.x.176       6346
11/12-02:53:46.745461   SCAN FIN        TCP     66.91.19.13     53289
x.x.x.176       6346
11/12-02:53:46.745383   SCAN FIN        TCP     66.91.19.13     53289
x.x.x.176       6346
11/12-02:53:46.745453   SCAN FIN        TCP     66.91.19.13     53289
x.x.x.176       6346

11/12-02:43:51.881522   SCAN nmap TCP   TCP     64.119.138.2    80
x.x.x.176       6346
11/12-05:34:57.133148   SCAN nmap TCP   TCP     64.119.138.2    80
x.x.x.176       6346
11/12-05:34:57.133155   SCAN nmap TCP   TCP     64.119.138.2    80
x.x.x.176       6346
11/12-05:35:02.151291   SCAN nmap TCP   TCP     64.119.138.2    80
x.x.x.176       6346
11/12-05:35:02.151284   SCAN nmap TCP   TCP     64.119.138.2    80
x.x.x.176       6346
11/12-05:35:07.339134   SCAN nmap TCP   TCP     209.6.58.139    80
x.x.x.176       6346
11/12-05:35:07.339128   SCAN nmap TCP   TCP     209.6.58.139    80
x.x.x.176       6346
11/12-05:35:12.787599   SCAN nmap TCP   TCP     209.6.58.139    80
x.x.x.176       6346
11/12-05:35:12.787607   SCAN nmap TCP   TCP     209.6.58.139    80
x.x.x.176       6346

John York
Network Engineer
Blue Ridge Community College
1 College Lane, Weyers Cave, VA 24486
540.453.2255



-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

p2p scans showing up as SCAN FIN and SCAN NMAP ?? John York (Nov 12)