[Snort-users] FW: SNORT: snort.alert.2000.11.24.03.00

Gene Ramon Gomez ggomez at ...677...
Fri Nov 24 10:12:13 EST 2000


Hey folks,
Anyone have ANY idea about what these guys were looking for?  109 appears to
be POP2, but are there really any hosts out there still running it?  And why
the need for both the source and the destination port 109?  Also, notice how
the Seq and Ack numbers are paired...

-Gene

-----Original Message-----
From: snort at ...677... [mailto:snort at ...677...]
Sent: Friday, November 24, 2000 3:00 AM
To: alert at ...677...
Subject: SNORT: snort.alert.2000.11.24.03.00

[**] spp_portscan: PORTSCAN DETECTED from 202.30.26.81 (STEALTH) [**]
11/24-02:17:20.486535
[**] IDS198/SYN FIN Scan [**]
11/24-02:17:20.486165 202.30.26.81:109 -> x.y.z.1:109
TCP TTL:24 TOS:0x0 ID:39426
******SF Seq: 0x335E9BA3   Ack: 0x60563D6A   Win: 0x404

[**] IDS198/SYN FIN Scan [**]
11/24-02:17:20.890051 202.30.26.81:109 -> x.y.z.2:109
TCP TTL:24 TOS:0x0 ID:39426
******SF Seq: 0x335E9BA3   Ack: 0x60563D6A   Win: 0x404

[**] IDS198/SYN FIN Scan [**]
11/24-02:17:21.630639 202.30.26.81:109 -> x.y.z.3:109
TCP TTL:24 TOS:0x0 ID:39426
******SF Seq: 0x21A22059   Ack: 0x15971CF9   Win: 0x404

[**] IDS198/SYN FIN Scan [**]
11/24-02:17:21.753432 202.30.26.81:109 -> x.y.z.4:109
TCP TTL:24 TOS:0x0 ID:39426
******SF Seq: 0x21A22059   Ack: 0x15971CF9   Win: 0x404

[**] spp_portscan: portscan status from 202.30.26.81: 4 connections across 4
hosts: TCP(4), UDP(0) STEALTH [**]
11/24-02:18:01.167374
[**] spp_portscan: End of portscan from 202.30.26.81: TOTAL time(1s)
hosts(4) TCP(4) UDP(0) STEALTH [**]
11/24-02:19:00.970419




More information about the Snort-users mailing list