[Snort-users] named scan -> iquery -> version probe from korea

DmuZ dmuz at ...324...
Sat Nov 18 16:17:50 EST 2000


I have been noticing a large number of the following scan sequence from this
IP in Korea. I think I remember reading about others who experienced this. I
first noticed this activity about 3 weeks ago. I just got a bunch more last

All the scans use the same SYN-FIN scan to port 53 then follow up with
iquery and named version check if it is open.

Paste from snortsnarf:


[**] SCAN-SYN FIN [**]
11/18-12:54:26.832800> xx.yy.zz.aa:53
TCP TTL:29 TOS:0x0 ID:39426
******SF Seq: 0x12FF2EAB Ack: 0x47E750C7 Win: 0x404

[**] IDS277 - NAMED Iquery Probe [**]
11/18-12:54:29.489328> xx.yy.zz.aa:53
UDP TTL:51 TOS:0x0 ID:36414
Len: 35

[**] IDS278 - SCAN -named Version probe [**]
11/18-12:54:29.948289> xx.yy.zz.aa:53
UDP TTL:51 TOS:0x0 ID:36417
Len: 38


Have others been seeing these scans as well?


More information about the Snort-users mailing list