No subject


Thu Nov 23 16:34:03 EST 2017


With only 2 source addresses and 1004 dest. address I find this quite
strange and I don't know what happened. It looks like a scanner though.

One address has 15062 alerts, the other 3620 and both they have alerts
on almost the same servers, namely:
xxx.xx.206.1-254
xxx.xx.202.0-255
xxx.xx.201.0-255
xxx.xx.200.0-255

The payload is every time the same (for so far I had looked at the
alerts)
---------
 length = 2

  000 : 30 30                                             00
---------

Some more info:
source addr xxx.xx.xxx.xxx
dest addr   xxx.xx.xxx.xxx
Ver     4
Hdr Len 5
TOS  	0
length 	30 
ID     	16818
flags  	0
offset  0
TTL  	115
chksum	52774

source port 	60000
dest port	2140
length		10

Has anyone had any experience with this alert and does now what
happened?
Or has anyone got some examples from a real hack attempt so I can have a
look at those alerts?

Thank you very much,

Roeland




More information about the Snort-sigs mailing list