[Snort-users] tcp/510 probe

Len Burns lenb at ...750...
Tue Nov 28 10:04:59 EST 2000


On Tue, 28 Nov 2000, andy lowton wrote:

>
> I got exactly the same thing, but only once. I caught it with ipf:
>
> Nov 25 11:02:09  ipmon[12376]: 11:02:09.048081             tun0 @0:27 b
>  204.182.234.16,510 -> a.b.c.d,510 PR tcp len 20 40 -S IN
>
I received a full scan of our network for this port a couple of days
ago, the odd twist is that exactly 2 hours before this, from the same
ip, we were also scanned for port 100.  I posted it to
incidents at ...867..., and learned that several more people had been
scanned as well, 1 from the same ip: 208.185.167.115.  For both, the
source port was 510.  Is there any way, to capture a dump of a scan?
I would much prefer to look at the details with tcpdump or etheral.

-Len




More information about the Snort-users mailing list