[Snort-users] new ports in portscans and scans in general

Olaf Schreck chakl at ...931...
Thu Jan 11 15:17:22 EST 2001


> Every once in a while a new port shows up being scanned on our network.
> Is this something that anyone anywhere needs to know about? (TCP 9704
> this time

9704 is a "popular rootshell port (inetd.conf)" according to 


> The thrill of tracking down someone responsible for a particular IP
> number and reporting it has definitely worn off for me. Over the weekend
> we were scanned by 10 different IP numbers. I don't have time to report

May as well be a nmap scan with decoy addresses, i.e. the scanner generates 
fake packets that seem to be coming from different hosts in order to 
confuse the target admin.  Looks like that stetegy was successful ;)

> Just out of curiousity, I'm wondering how much spread do these scans
> have?

We see lots of them on several networks we manage.  We log them and do 
some statistics and backtracing, otherwise mostly ignore them.  With 
other measures like firewalls, host IDS etc. in place, we don't really 
mind scans for services that we do not provide.

Olaf Schreck	chakl at ...931...	Syscall() Network Solutions, Berlin
                "We reject kings, presidents, and voting;
             we believe in rough consensus and running code."	
                                        -- David Clark, IAB chair, 1992

More information about the Snort-users mailing list