[Snort-users] new ports in portscans and scans in general

Martin Roesch roesch at ...421...
Thu Jan 18 02:38:54 EST 2001


It'd probably be useful for you to try out ACID or Snortsnarf, they'll
make your life easier.  FYI, port 9704 is a common backdoor left behind
by a linux statd buffer overflow.

   -Marty

robin stubbs wrote:
> 
> Every once in a while a new port shows up being scanned on our network.
> Is this something that anyone anywhere needs to know about? (TCP 9704
> this
> time). I'm thinking, maybe the list doesn't want me to send email every
> time
> I see a port scan I can't identify. There's a lot of ports... :-)
> 
> The thrill of tracking down someone responsible for a particular IP
> number and reporting it has definitely worn off for me. Over the weekend
> we were scanned by 10 different IP numbers. I don't have time to report
> these manually and I don't
> know but what someone else already did anyway. How do other highly
> targeted
> entities deal with this type of thing? Does your institution take on
> this
> job or is it every admin on their own? (The word security does not
> appear in
> my job description!) On the other hand, once I ran a machine that was
> compromised
> and I very greatly appreciated the fact that someone managed to send me
> email
> alerting me of this fact.
> 
> Just out of curiousity, I'm wondering how much spread do these scans
> have?
> That would impact of the utility of reporting one. ie if the average
> compromised machine scanned every live IP number on the internet, then
> there would be a high likelihood they scanned the fbi for example, and
> maybe the owners would hear about it. On the other hand, if it scanned
> only a few class C subnets per day then it would probably be more
> important that the scannees report it. I'm
> imagining that these programs/people are restricting the amount of
> scanning
> they do to evade detection, or am I wrong?
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list