[Snort-sigs] Odd scans from

Matt Kettler mkettler at ...189...
Tue Apr 23 11:57:16 EDT 2002

1) this really should be on snort users, not snort-sigs. Please use the 
snort-users list next time you have a general question.

2) have you been using IRC?

Note that the packet you have logged is a syn-ack, which means it is (or 
claims to be) a response to a request for connect from your machine 
connecting to that server.

The IP that is "scanning" you is a IRC server.. see:

Host name: irc.tokyo.wide.ad.jp
IP address:
Alias(es): None

And look, a lot of this traffic is from port 6666/tcp on their end. From 
the snort.org ports DB:

  6666   tcp     irc-serv     internet relay chat server

and from IANA: (http://www.iana.org/assignments/port-numbers)

ircu            6665-6669/tcp  IRCU
ircu            6665-6669/udp  IRCU

Sounds like you're being "scanned' by your own internet activity.

At 01:01 PM 4/23/2002 -0500, Robert Wagner wrote:
>Odd scans from  Does anyone know what they are scanning for?
>I don't have a server running at myip.  I have heard this IP address has
>been doing a lot of scanning like this.  Slow scan to avoid detection.

More information about the Snort-sigs mailing list