[Snort-users] FW: SNORT: snort.alert.2000.11.24.03.00

Phil Wood cpw at ...440...
Fri Nov 24 15:49:20 EST 2000


On Fri, Nov 24, 2000 at 07:12:13AM -0800, Gene Ramon Gomez wrote:
> Hey folks,
> Anyone have ANY idea about what these guys were looking for?  109 appears to
> be POP2, but are there really any hosts out there still running it?  And why

I asked a user who was accessing port 109 what he was up to.  He was
downloading MP3 stuff.  Its like using port 23 (telnet) for http.  The
Internet is turning in to a microcosm of civilization (or lack there of).
However, that doesn't realy answer your question.  He might be looking
for MP3 servers.  

> the need for both the source and the destination port 109?  Also, notice how
> the Seq and Ack numbers are paired...
> 
> -Gene
> 
> -----Original Message-----
> From: snort at ...677... [mailto:snort at ...677...]
> Sent: Friday, November 24, 2000 3:00 AM
> To: alert at ...677...
> Subject: SNORT: snort.alert.2000.11.24.03.00
> 
> [**] spp_portscan: PORTSCAN DETECTED from 202.30.26.81 (STEALTH) [**]
> 11/24-02:17:20.486535
> [**] IDS198/SYN FIN Scan [**]
> 11/24-02:17:20.486165 202.30.26.81:109 -> x.y.z.1:109
> TCP TTL:24 TOS:0x0 ID:39426
> ******SF Seq: 0x335E9BA3   Ack: 0x60563D6A   Win: 0x404
> 
> [**] IDS198/SYN FIN Scan [**]
> 11/24-02:17:20.890051 202.30.26.81:109 -> x.y.z.2:109
> TCP TTL:24 TOS:0x0 ID:39426
> ******SF Seq: 0x335E9BA3   Ack: 0x60563D6A   Win: 0x404
> 
> [**] IDS198/SYN FIN Scan [**]
> 11/24-02:17:21.630639 202.30.26.81:109 -> x.y.z.3:109
> TCP TTL:24 TOS:0x0 ID:39426
> ******SF Seq: 0x21A22059   Ack: 0x15971CF9   Win: 0x404
> 
> [**] IDS198/SYN FIN Scan [**]
> 11/24-02:17:21.753432 202.30.26.81:109 -> x.y.z.4:109
> TCP TTL:24 TOS:0x0 ID:39426
> ******SF Seq: 0x21A22059   Ack: 0x15971CF9   Win: 0x404
> 
> [**] spp_portscan: portscan status from 202.30.26.81: 4 connections across 4
> hosts: TCP(4), UDP(0) STEALTH [**]
> 11/24-02:18:01.167374
> [**] spp_portscan: End of portscan from 202.30.26.81: TOTAL time(1s)
> hosts(4) TCP(4) UDP(0) STEALTH [**]
> 11/24-02:19:00.970419
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Phil Wood, cpw at ...440...




More information about the Snort-users mailing list