[Snort-users] named scan -> iquery -> version probe from korea

DmuZ dmuz at ...324...
Sat Nov 18 16:17:50 EST 2000


Hello,

I have been noticing a large number of the following scan sequence from this
IP in Korea. I think I remember reading about others who experienced this. I
first noticed this activity about 3 weeks ago. I just got a bunch more last
night.

All the scans use the same SYN-FIN scan to port 53 then follow up with
iquery and named version check if it is open.

Paste from snortsnarf:

<snip>

[**] SCAN-SYN FIN [**]
11/18-12:54:26.832800 211.56.35.221:53-> xx.yy.zz.aa:53
TCP TTL:29 TOS:0x0 ID:39426
******SF Seq: 0x12FF2EAB Ack: 0x47E750C7 Win: 0x404

[**] IDS277 - NAMED Iquery Probe [**]
11/18-12:54:29.489328 211.56.35.221:4872-> xx.yy.zz.aa:53
UDP TTL:51 TOS:0x0 ID:36414
Len: 35

[**] IDS278 - SCAN -named Version probe [**]
11/18-12:54:29.948289 211.56.35.221:4872-> xx.yy.zz.aa:53
UDP TTL:51 TOS:0x0 ID:36417
Len: 38

</snip>


Have others been seeing these scans as well?


DmuZ
--------------------
dmuz.angrypacket.com
--------------------




More information about the Snort-users mailing list