[Snort-users] FW: [Fwd: IP scan] (fwd)

Dr SuSE drsuse at ...748...
Thu Nov 9 23:29:42 EST 2000


Read the the message below.  It appears this company is doing the same
type of scanning as Quova Inc is.  I'm sure this might be old news but
it's new to me so I thought I share it with anyone else who lives in a
closet.

Dr SuSE

"Microsoft ist nicht installiert"

---------- Forwarded message ----------
Date: Fri, 10 Nov 2000 10:17:36 -0600
From: "Puffer S (Stefan)" <puffers at ...775...>
To: "'drsuse at ...748...'" <drsuse at ...748...>
Subject: FW: [Fwd: IP scan]



> ----------
> From: 	Jean Francois[SMTP:jlf at ...776...]
> Reply To: 	dennis sacks
> Sent: 	Friday, November 10, 2000 10:13 AM
> To: 	jlf at ...776...; Puffer S "(Stefan)
> Subject: 	[Fwd: IP scan]
> 
> 
> Thanks for your email regarding the unknown traffic coming from our
> network. We at Opnix have an internal project whose purpose it is to
> map the internet using UDP packets. This is the traffic you saw.
> This traffic is *not* any sort of a security compromising incident,
> and is only meant to measure distance and latency to various parts of
> the internet.
> 
> This project is ongoing, so you may see this traffic again. For your
> information, the signature of the traffic we generate should always be
> in the following form:
> 
> 1) A "pingsweep" of the first 50 hosts on each network. This
> "pingsweep" will consist of a single UDP packet sent to a single port
> on each machine. The port should be in the range of 60000-65000. The
> purpose of this is simply to find an active host on the subnet being
> mapped.
> 2) A UDP probe of the first and *only* the first host found in the
> above pingsweep. This UDP probe may not even reach your machine.
> This probe will always be of a UDP port in the range 50000-55000.
> 
> In the future, we may reduce the traffic being generated by this
> project by keeping a database of "known good hosts" for a given
> subnet. If you would like for us to use a specific machine on your
> network for our tests instead of doing step 1 above, please let us
> know, and we'll be glad to add that IP address to our database.
> 
> When the data from this project has been correlated, we may make
> portions of it available to third parties for analysis. If you are
> interested in this, please let us know.
> 
> Jean Francois
> Director Managed Services
> Opnix, Inc.
> 
> -------- Original Message --------
> Subject: IP scan
> Date: Thu, 9 Nov 2000 14:53:26 -0600
> From: "Puffer S (Stefan)" <puffers at ...775...>
> To: "'postmaster at ...777...'" <postmaster at ...777...>
> 
> Our firewall detected a host originating from opnix.net attempting a
> sequential IP scan.
> 
> Please inform the user currently at 216.183194.3 that his or her
> activity is
> being monitored and recorded.
> 
> 9Nov2000 15:25:03 drop   hscfw01    >btlan03 useralert proto udp src
> 216.183.194.3 dst 144.68.0.1 service 60012 s_port 60012 len 29 rule 44
> 9Nov2000 15:25:03 drop   hscfw01    >btlan03 useralert proto udp src
> 216.183.194.3 dst 144.68.0.2 service 60012 s_port 60012 len 29 rule 44
> 9Nov2000 15:25:03 drop   hscfw01    >btlan03 useralert proto udp src
> 216.183.194.3 dst 144.68.0.3 service 60012 s_port 60012 len 29 rule 44
> 
> 
> Thank you,
> 
> Stefan Puffer
> ITS Security
> Union Carbide
> 




More information about the Snort-users mailing list