No subject

Thu Nov 23 16:34:03 EST 2017

With only 2 source addresses and 1004 dest. address I find this quite
strange and I don't know what happened. It looks like a scanner though.

One address has 15062 alerts, the other 3620 and both they have alerts
on almost the same servers, namely:

The payload is every time the same (for so far I had looked at the
 length = 2

  000 : 30 30                                             00

Some more info:
source addr
dest addr
Ver     4
Hdr Len 5
TOS  	0
length 	30 
ID     	16818
flags  	0
offset  0
TTL  	115
chksum	52774

source port 	60000
dest port	2140
length		10

Has anyone had any experience with this alert and does now what
Or has anyone got some examples from a real hack attempt so I can have a
look at those alerts?

Thank you very much,


More information about the Snort-sigs mailing list