[Snort-sigs] Odd scans from 192.244.23.1

Robert Wagner rwagner at ...447...
Tue Apr 23 11:02:14 EDT 2002


Odd scans from 192.244.23.1.  Does anyone know what they are scanning for?
I don't have a server running at myip.  I have heard this IP address has
been doing a lot of scanning like this.  Slow scan to avoid detection.

src=192.244.23.1 dst=myip src_port=6663 dst_port=1559 service=tcp/port:1559
policy=46 action=Deny duration=0 start_time="04/22/2002 15:56:41"
src=192.244.23.1 dst=myip src_port=6664 dst_port=1360 service=tcp/port:1360
policy=46 action=Deny duration=0 start_time="04/22/2002 16:11:02"
src=192.244.23.1 dst=myip src_port=6664 dst_port=1360 service=tcp/port:1360
policy=46 action=Deny duration=0 start_time="04/22/2002 16:13:30"
src=192.244.23.1 dst=myip src_port=6666 dst_port=1414 service=tcp/port:1414
policy=46 action=Deny duration=0 start_time="04/22/2002 17:00:31"
src=192.244.23.1 dst=myip src_port=6661 dst_port=1888 service=tcp/port:1888
policy=46 action=Deny duration=0 start_time="04/22/2002 17:05:15"
src=192.244.23.1 dst=myip src_port=6666 dst_port=1414 service=tcp/port:1414
policy=46 action=Deny duration=0 start_time="04/22/2002 17:05:57"
src=192.244.23.1 dst=myip src_port=6661 dst_port=1888 service=tcp/port:1888
policy=46 action=Deny duration=0 start_time="04/22/2002 17:10:55"
src=192.244.23.1 dst=myip src_port=6662 dst_port=2391 service=tcp/port:2391
policy=46 action=Deny duration=0 start_time="04/22/2002 17:40:49"
src=192.244.23.1 dst=myip src_port=6662 dst_port=2391 service=tcp/port:2391
policy=46 action=Deny duration=0 start_time="04/22/2002 17:48:27"
src=192.244.23.1 dst=myip src_port=6664 dst_port=1360 service=tcp/port:1360
policy=46 action=Deny duration=0 start_time="04/22/2002 17:56:43"
src=192.244.23.1 dst=myip src_port=6668 dst_port=1328 service=tcp/port:1328
policy=46 action=Deny duration=0 start_time="04/22/2002 18:09:38"
src=192.244.23.1 dst=myip src_port=6668 dst_port=1328 service=tcp/port:1328
policy=46 action=Deny duration=0 start_time="04/22/2002 18:18:51"

[**] LOCAL Misc high port scan [**]
04/22-17:14:01.197490 192.244.23.1:6661 -> myip:1888
TCP TTL:52 TOS:0x0 ID:26994 IpLen:20 DgmLen:44
***A**S* Seq: 0x2A4641F2  Ack: 0x1  Win: 0xFFFF  TcpLen: 24
TCP Options (1) => MSS: 1460
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  ....:1..c.....E.
0x0010: 00 2C 69 72 00 00 34 06 D5 3F C0 F4 17 01 xx xx  .,ir..4..?.....,
0x0020: xx xx 1A 05 07 60 2A 46 41 F2 00 00 00 01 60 12  .....`*FA.....`.
0x0030: FF FF C2 5D 00 00 02 04 05 B4 01 01              ...]........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] LOCAL Misc high port scan [**]
04/22-17:19:41.687490 192.244.23.1:6661 -> myip:1888
TCP TTL:52 TOS:0x0 ID:37922 IpLen:20 DgmLen:44
***A**S* Seq: 0x67144C81  Ack: 0x1  Win: 0xFFFF  TcpLen: 24
TCP Options (1) => MSS: 1460
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  ....:1..c.....E.
0x0010: 00 2C 94 22 00 00 34 06 AA 8F C0 F4 17 01 xx xx  .,."..4........,
0x0020: xx xx 1A 05 07 60 67 14 4C 81 00 00 00 01 60 12  .....`g.L.....`.
0x0030: FF FF 7B 00 00 00 02 04 05 B4 01 03              ..{.........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+




More information about the Snort-sigs mailing list