[Snort-users] PING Nmap2.36BETA & FTP activity

Didier CONTIS dcontis at ...163...
Wed Aug 16 00:13:43 EDT 2000


I am running snort on the anonymous ftp server of my department.

For some hosts connecting, I am seing a lot of events:
[**] IDS162 - PING Nmap2.36BETA [**]

I am using snort-1.6.3 with 07272k.rules and
preprocessor portscan: 130.207.XXX.XXX/24 6 5

in the same time frame as the user log in (see some logs at the end).
Note how the remote host open 4 FTP session at the same time !

I was wondering if some has already seen this type of activity of has
some comments ?

Thanks in advance, Didier.


For Snort:
=======================================================
[**] IDS162 - PING Nmap2.36BETA [**]
08/15-23:55:12.028619 211.19.94.126 -> 130.207.XXX.XXX
ICMP TTL:242 TOS:0x0 ID:50402
ID:4   Seq:399  ECHO

[**] IDS162 - PING Nmap2.36BETA [**]
08/15-23:55:12.060662 211.19.94.126 -> 130.207.XXX.XXX
ICMP TTL:242 TOS:0x0 ID:50406
ID:4   Seq:401  ECHO

[**] IDS162 - PING Nmap2.36BETA [**]
08/15-23:55:12.423869 211.19.94.126 -> 130.207.XXX.XXX
ICMP TTL:242 TOS:0x0 ID:50411
ID:4   Seq:404  ECHO

[**] IDS162 - PING Nmap2.36BETA [**]
08/15-23:55:12.441295 211.19.94.126 -> 130.207.XXX.XXX
ICMP TTL:242 TOS:0x0 ID:50413
ID:4   Seq:406  ECHO

[**] IDS162 - PING Nmap2.36BETA [**]
08/15-23:55:12.452720 211.19.94.126 -> 130.207.XXX.XXX
ICMP TTL:242 TOS:0x0 ID:50414
ID:4   Seq:407  ECHO

[**] IDS162 - PING Nmap2.36BETA [**]
08/15-23:55:12.735068 211.19.94.126 -> 130.207.XXX.XXX
ICMP TTL:242 TOS:0x0 ID:50420
ID:4   Seq:412  ECHO

[**] IDS162 - PING Nmap2.36BETA [**]
08/15-23:55:12.741152 211.19.94.126 -> 130.207.XXX.XXX
ICMP TTL:242 TOS:0x0 ID:50421
ID:4   Seq:413  ECHO
[.............]

[**] IDS162 - PING Nmap2.36BETA [**]
08/15-23:55:14.541478 211.19.94.126 -> 130.207.XXX.XXX
ICMP TTL:242 TOS:0x0 ID:50484
ID:4   Seq:437  ECHO
========================================================

For the FTP server:
auth.log:FTP Server [12665] z211-19-94-126.dialup.wakwak.ne.jp
[15/Aug/2000:23:55:26 -0400] "USER anonymous" 331
auth.log:FTP Server [12666] z211-19-94-126.dialup.wakwak.ne.jp
[15/Aug/2000:23:55:26 -0400] "USER anonymous" 331
auth.log:FTP Server [12667] z211-19-94-126.dialup.wakwak.ne.jp
[15/Aug/2000:23:55:26 -0400] "USER anonymous" 331
auth.log:FTP Server [12668] z211-19-94-126.dialup.wakwak.ne.jp
[15/Aug/2000:23:55:26 -0400] "USER anonymous" 331
auth.log:FTP Server [12665] z211-19-94-126.dialup.wakwak.ne.jp
[15/Aug/2000:23:55:26 -0400] "PASS yourname at ...334..." 230
auth.log:FTP Server [12666] z211-19-94-126.dialup.wakwak.ne.jp
[15/Aug/2000:23:55:26 -0400] "PASS yourname at ...334..." 230
auth.log:FTP Server [12667] z211-19-94-126.dialup.wakwak.ne.jp
[15/Aug/2000:23:55:27 -0400] "PASS yourname at ...334..." 230
auth.log:FTP Server [12668] z211-19-94-126.dialup.wakwak.ne.jp
[15/Aug/2000:23:55:27 -0400] "PASS yourname at ...334..." 230





More information about the Snort-users mailing list