[Snort-sigs] Scans on 442 and 54

Robert Wagner rwagner at ...447...
Mon Mar 25 09:41:20 EST 2002


I have noticed some scans coming in on TCP 442 and 54.  The traffic comes at
the same time on both ports from the same host.  One is mentioned at XNS
Clearinghouse (54) and CVC Hostd (442) (CVC - Cray Virtual Console).  Does
anyone know what this traffic may be?

I am capturing the whole packet by running snort -X with these rules
alert tcp $EXTERNAL_NET any -> $HOME_NET 54 (msg:"MISC XNS Clearinghouse";)
alert udp $EXTERNAL_NET any -> $HOME_NET 54 (msg:"MISC XNS Clearinghouse";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 442 (msg:"MISC CVC Hostd";)
alert udp $EXTERNAL_NET any -> $HOME_NET 442 (msg:"MISC CVC Hostd";)

Since we don't have a Cray Computer (I wish), I am treating this as
suspicios traffic.  


---------------------------------->Traffic, my Ip is replaced with me and xx
in hex.
[**] MISC CVC Hostd [**]
03/23-09:14:51.799043 210.196.136.172:2259 -> me:442
TCP TTL:109 TOS:0x0 ID:2002 IpLen:20 DgmLen:48 DF
******S* Seq: 0x2ABCA988  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
0x0000: xx xx xx xx xx xx xx xx xx xx xx xx xx xx 45 00  .P..XC..c.....E.
0x0010: 00 30 07 D2 40 00 6D 06 3B 48 D2 C4 88 AC xx xx  .0.. at ...470...;H.....,
0x0020: xx xx 08 D3 01 BA 2A BC A9 88 00 00 00 00 70 02  ......*.......p.
0x0030: 40 00 99 9F 00 00 02 04 05 B4 01 01 04 02        @.............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] MISC CVC Hostd [**]
03/23-09:14:52.479043 210.196.136.172:2259 -> me:442
TCP TTL:109 TOS:0x0 ID:2081 IpLen:20 DgmLen:48 DF
******S* Seq: 0x2ABCA988  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
0x0000: xx xx xx xx xx xx xx xx xx xx xx xx xx xx 45 00  .P..XC..c.....E.
0x0010: 00 30 08 21 40 00 6D 06 3A F9 D2 C4 88 AC xx xx  .0.!@.m.:......,
0x0020: 9F 10 08 D3 01 BA 2A BC A9 88 00 00 00 00 70 02  ......*.......p.
0x0030: 40 00 99 9F 00 00 02 04 05 B4 01 01 04 02        @.............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] MISC CVC Hostd [**]
03/23-09:14:53.259043 210.196.136.172:2259 -> me:442
TCP TTL:109 TOS:0x0 ID:2176 IpLen:20 DgmLen:48 DF
******S* Seq: 0x2ABCA988  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
0x0000: xx xx xx xx xx xx xx xx xx xx xx xx xx xx 45 00  .P..XC..c.....E.
0x0010: 00 30 08 80 40 00 6D 06 3A 9A D2 C4 88 AC xx xx  .0.. at ...470...:......,
0x0020: xx xx 08 D3 01 BA 2A BC A9 88 00 00 00 00 70 02  ......*.......p.
0x0030: 40 00 99 9F 00 00 02 04 05 B4 01 01 04 02        @.............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] MISC XNS Clearinghouse [**]
03/23-09:14:51.829043 210.196.136.172:2260 -> me:54
TCP TTL:109 TOS:0x0 ID:2010 IpLen:20 DgmLen:48 DF
******S* Seq: 0x2ABDA00F  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
0x0000: xx xx xx xx xx xx xx xx xx xx xx xx xx xx 45 00  .P..XC..c.....E.
0x0010: 00 30 07 DA 40 00 6D 06 3B 40 D2 C4 88 AC xx xx  .0.. at ...470...;@.....,
0x0020: xx xx 08 D4 00 36 2A BD A0 0F 00 00 00 00 70 02  .....6*.......p.
0x0030: 40 00 A4 9A 00 00 02 04 05 B4 01 01 04 02        @.............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] MISC XNS Clearinghouse [**]
03/23-09:14:52.589043 210.196.136.172:2260 -> 208.44.159.16:54
TCP TTL:109 TOS:0x0 ID:2089 IpLen:20 DgmLen:48 DF
******S* Seq: 0x2ABDA00F  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
0x0000: xx xx xx xx xx xx xx xx xx xx xx xx xx xx 45 00  .P..XC..c.....E.
0x0010: 00 30 08 29 40 00 6D 06 3A F1 D2 C4 88 AC xx xx  .0.)@.m.:......,
0x0020: xx xx 08 D4 00 36 2A BD A0 0F 00 00 00 00 70 02  .....6*.......p.
0x0030: 40 00 A4 9A 00 00 02 04 05 B4 01 01 04 02        @.............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] MISC XNS Clearinghouse [**]
03/23-09:14:53.309043 210.196.136.172:2260 -> 208.44.159.16:54
TCP TTL:109 TOS:0x0 ID:2186 IpLen:20 DgmLen:48 DF
******S* Seq: 0x2ABDA00F  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
0x0000: xx xx xx xx xx xx xx xx xx xx xx xx xx xx 45 00  .P..XC..c.....E.
0x0010: 00 30 08 8A 40 00 6D 06 3A 90 D2 C4 88 AC xx xx  .0.. at ...470...:......,
0x0020: xx xx 08 D4 00 36 2A BD A0 0F 00 00 00 00 70 02  .....6*.......p.
0x0030: 40 00 A4 9A 00 00 02 04 05 B4 01 01 04 02        @.............




More information about the Snort-sigs mailing list