[Snort-users] Traceroute?

Paul Asadoorian paul.com at ...530...
Sun Mar 4 17:17:03 EST 2001


Has anyone seen this signature before?


Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56023 UDP
Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56034 UDP
Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56035 UDP
Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56036 UDP
Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56037 UDP
Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56038 UDP
Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56039 UDP
Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56040 UDP
Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56041 UDP
Jan 26 12:43:01 207.236.111.23:49658 -> MY.SUB.NET.1:56042 UDP

I have another from a different ip address, same target host, slightly
different port numbers:


Jan 23 15:01:43 24.114.40.164:64023 -> MY.SUB.NET.1:36394 UDP
Jan 23 15:01:43 24.114.40.164:64023 -> MY.SUB.NET.1:36405 UDP
Jan 23 15:01:43 24.114.40.164:64023 -> MY.SUB.NET.1:36406 UDP
Jan 23 15:01:43 24.114.40.164:64023 -> MY.SUB.NET.1:36407 UDP
Jan 23 15:01:43 24.114.40.164:64023 -> MY.SUB.NET.1:36408 UDP
Jan 23 15:01:43 24.114.40.164:64023 -> MY.SUB.NET.1:36409 UDP
Jan 23 15:01:43 24.114.40.164:64023 -> MY.SUB.NET.1:36410 UDP
Jan 23 15:01:43 24.114.40.164:64023 -> MY.SUB.NET.1:36411 UDP
Jan 23 15:01:43 24.114.40.164:64023 -> MY.SUB.NET.1:36412 UDP
Jan 23 15:01:43 24.114.40.164:64023 -> MY.SUB.NET.1:36413 UDP
Jan 23 15:01:43 24.114.40.164:64023 -> MY.SUB.NET.1:36414 UDP
Jan 23 15:01:43 24.114.40.164:64023 -> MY.SUB.NET.1:36415 UDP
Jan 23 15:01:43 24.114.40.164:64023 -> MY.SUB.NET.1:36416 UDP

Packets look like this:

[**] IDS003 - MISC-Traceroute UDP [**]
01/18-09:25:00.825793 24.114.40.164:34876 -> 192.156.110.1:46238
UDP TTL:1 TOS:0x0 ID:34876
Len: 13
54 72 61 63 65                                   Trace

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Is this just a traceroute?  But why so many?  and why only to the .1 address
of my class C?

Paul








More information about the Snort-users mailing list