[Snort-users] new ports in portscans and scans in general
chakl at ...931...
Thu Jan 11 15:17:22 EST 2001
> Every once in a while a new port shows up being scanned on our network.
> Is this something that anyone anywhere needs to know about? (TCP 9704
> this time
9704 is a "popular rootshell port (inetd.conf)" according to
> The thrill of tracking down someone responsible for a particular IP
> number and reporting it has definitely worn off for me. Over the weekend
> we were scanned by 10 different IP numbers. I don't have time to report
May as well be a nmap scan with decoy addresses, i.e. the scanner generates
fake packets that seem to be coming from different hosts in order to
confuse the target admin. Looks like that stetegy was successful ;)
> Just out of curiousity, I'm wondering how much spread do these scans
We see lots of them on several networks we manage. We log them and do
some statistics and backtracing, otherwise mostly ignore them. With
other measures like firewalls, host IDS etc. in place, we don't really
mind scans for services that we do not provide.
Olaf Schreck chakl at ...931... Syscall() Network Solutions, Berlin
"We reject kings, presidents, and voting;
we believe in rough consensus and running code."
-- David Clark, IAB chair, 1992
More information about the Snort-users