[Snort-users] named scan -> iquery -> version probe from korea

Mark Rowlands mark.rowlands at ...752...
Sun Nov 19 11:30:11 EST 2000


On Saturday 18 November 2000 21:17, DmuZ wrote:
> Hello,
>
> I have been noticing a large number of the following scan sequence from
> this IP in Korea. I think I remember reading about others who experienced
> this. I first noticed this activity about 3 weeks ago. I just got a bunch
> more last night.
>
> All the scans use the same SYN-FIN scan to port 53 then follow up with
> iquery and named version check if it is open.
>
> Paste from snortsnarf:
>
> <snip>
>
> [**] SCAN-SYN FIN [**]
> 11/18-12:54:26.832800 211.56.35.221:53-> xx.yy.zz.aa:53
> TCP TTL:29 TOS:0x0 ID:39426
> ******SF Seq: 0x12FF2EAB Ack: 0x47E750C7 Win: 0x404
>
> [**] IDS277 - NAMED Iquery Probe [**]
> 11/18-12:54:29.489328 211.56.35.221:4872-> xx.yy.zz.aa:53
> UDP TTL:51 TOS:0x0 ID:36414
> Len: 35
>
> [**] IDS278 - SCAN -named Version probe [**]
> 11/18-12:54:29.948289 211.56.35.221:4872-> xx.yy.zz.aa:53
> UDP TTL:51 TOS:0x0 ID:36417
> Len: 38
>
> </snip>
>
>
> Have others been seeing these scans as well?
>

yep

mine was from @home tho

> DmuZ
> --------------------
> dmuz.angrypacket.com
> --------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users



More information about the Snort-users mailing list