[Snort-users] Possible network mapping?

shawn . moyer shawn at ...1184...
Thu Mar 1 11:43:23 EST 2001


Dr SuSE wrote:
 
> Has anyone seen this type of traffic before?  There never was a three way
> handshake between my machine at 192.0.0.11 and 209.67.42.78 which resolves to
> orb-cache2.starmedia.com
> I'm assuming it might be a forged packet sent to solicit a response ie the tcp
> reset reply from my machine.

Nmap has the ability to do ACK scanning (-sA), so I'd say it's possible. 

http://archives.neohapsis.com/archives/nmap/2000/0096.html

It's also possible that someone was SYN scanning and using a list of
spoofed hosts to obfuscate logs and yours was one of them and this was
the response packet back. :)

Also, by the hostname, I wonder if this is a misconfigured web proxy
box?


--shawn




More information about the Snort-users mailing list