Snort mailing list archives
Strange Traffic to 10.0.1.128
From: "Dusty Hall" <halljer () auburn edu>
Date: Wed, 25 Feb 2004 14:30:54 -0600
I'm seeing the following traffic from dozens of computers on our campus. I'm not sure what to make of it. Any thoughts? -Dusty *-------- 14:20:01.731500 xxx.xxx.xxx.xxx.3139 > 10.0.1.128.36278: S 948466268:948466268(0) win 16384 <mss 1456,nop,nop,sackOK> (DF) 0x0000 4500 0030 0ee5 4000 8006 8d11 xxxx xxxx E..0..@......... 0x0010 0a00 0180 0c43 8db6 3888 725c 0000 0000 .....C..8.r\.... 0x0020 7002 4000 9f73 0000 0204 05b0 0101 0402 p.@..s.......... 14:20:01.749327 xxx.xxx.xxx.xxx.3126 > 10.0.1.128.36278: S 944670114:944670114(0) win 16384 <mss 1456,nop,nop,sackOK> (DF) 0x0000 4500 0030 0ee6 4000 8006 8d10 xxxx xxxx E..0..@......... 0x0010 0a00 0180 0c36 8db6 384e 85a2 0000 0000 .....6..8N...... 0x0020 7002 4000 8c74 0000 0204 05b0 0101 0402 p.@..t.......... 14:20:02.051142 xxx.xxx.xxx.xxx.3136 > 10.0.1.128.36278: S 947371790:947371790(0) win 16384 <mss 1456,nop,nop,sackOK> (DF) 0x0000 4500 0030 0ef0 4000 8006 8d06 xxxx xxxx E..0..@......... 0x0010 0a00 0180 0c40 8db6 3877 bf0e 0000 0000 .....@..8w...... 0x0020 7002 4000 52d5 0000 0204 05b0 0101 0402 p.@.R........... 14:20:02.151663 xxx.xxx.xxx.xxx.3137 > 10.0.1.128.36278: S 947438139:947438139(0) win 16384 <mss 1456,nop,nop,sackOK> (DF) 0x0000 4500 0030 0ef4 4000 8006 8d02 xxxx xxxx E..0..@......... 0x0010 0a00 0180 0c41 8db6 3878 c23b 0000 0000 .....A..8x.;.... 0x0020 7002 4000 4fa6 0000 0204 05b0 0101 0402 p.@.O........... 14:20:02.554036 xxx.xxx.xxx.xxx.3127 > 10.0.1.128.36278: S 945134256:945134256(0) win 16384 <mss 1456,nop,nop,sackOK> (DF) 0x0000 4500 0030 0eff 4000 8006 8cf7 xxxx xxxx E..0..@......... 0x0010 0a00 0180 0c37 8db6 3855 9ab0 0000 0000 .....7..8U...... 0x0020 7002 4000 775e 0000 0204 05b0 0101 0402 p.@.w^.......... 14:20:03.020634 xxx.xxx.xxx.xxx.3140 > 10.0.1.128.36278: S 948834934:948834934(0) win 16384 <mss 1456,nop,nop,sackOK> (DF) 0x0000 4500 0030 0f0d 4000 8006 8ce9 xxxx xxxx E..0..@......... 0x0010 0a00 0180 0c44 8db6 388e 1276 0000 0000 .....D..8..v.... 0x0020 7002 4000 ff52 0000 0204 05b0 0101 0402 p.@..R.......... 14:20:03.139266 xxx.xxx.xxx.xxx.3142 > 10.0.1.128.36278: S 948970852:948970852(0) win 16384 <mss 1456,nop,nop,sackOK> (DF) 0x0000 4500 0030 0f10 4000 8006 8ce6 xxxx xxxx E..0..@......... 0x0010 0a00 0180 0c46 8db6 3890 2564 0000 0000 .....F..8.%d.... 0x0020 7002 4000 ec60 0000 0204 05b0 0101 0402 p.@..`.......... 14:20:03.157586 xxx.xxx.xxx.xxx.3138 > 10.0.1.128.36278: S 947825858:947825858(0) win 16384 <mss 1456,nop,nop,sackOK> (DF) 0x0000 4500 0030 0f11 4000 8006 8ce5 xxxx xxxx E..0..@......... 0x0010 0a00 0180 0c42 8db6 387e acc2 0000 0000 .....B..8~...... 0x0020 7002 4000 6518 0000 0204 05b0 0101 0402 p.@.e........... 14:20:03.389056 xxx.xxx.xxx.xxx.3143 > 10.0.1.128.36278: S 949143173:949143173(0) win 16384 <mss 1456,nop,nop,sackOK> (DF) 0x0000 4500 0030 0f17 4000 8006 8cdf xxxx xxxx E..0..@......... 0x0010 0a00 0180 0c47 8db6 3892 c685 0000 0000 .....G..8....... 0x0020 7002 4000 4b3c 0000 0204 05b0 0101 0402 p.@.K<.......... ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56&alloc_id438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange Traffic to 10.0.1.128 Dusty Hall (Feb 25)