[Snort-users] tcp/510 probe

Len Burns lenb at ...750...
Tue Nov 28 10:04:59 EST 2000

On Tue, 28 Nov 2000, andy lowton wrote:

> I got exactly the same thing, but only once. I caught it with ipf:
> Nov 25 11:02:09  ipmon[12376]: 11:02:09.048081             tun0 @0:27 b
>,510 -> a.b.c.d,510 PR tcp len 20 40 -S IN
I received a full scan of our network for this port a couple of days
ago, the odd twist is that exactly 2 hours before this, from the same
ip, we were also scanned for port 100.  I posted it to
incidents at ...867..., and learned that several more people had been
scanned as well, 1 from the same ip:  For both, the
source port was 510.  Is there any way, to capture a dump of a scan?
I would much prefer to look at the details with tcpdump or etheral.


More information about the Snort-users mailing list