[Snort-users] tcp/510 probe
lenb at ...750...
Tue Nov 28 10:04:59 EST 2000
On Tue, 28 Nov 2000, andy lowton wrote:
> I got exactly the same thing, but only once. I caught it with ipf:
> Nov 25 11:02:09 ipmon: 11:02:09.048081 tun0 @0:27 b
> 188.8.131.52,510 -> a.b.c.d,510 PR tcp len 20 40 -S IN
I received a full scan of our network for this port a couple of days
ago, the odd twist is that exactly 2 hours before this, from the same
ip, we were also scanned for port 100. I posted it to
incidents at ...867..., and learned that several more people had been
scanned as well, 1 from the same ip: 184.108.40.206. For both, the
source port was 510. Is there any way, to capture a dump of a scan?
I would much prefer to look at the details with tcpdump or etheral.
More information about the Snort-users