[Snort-users] What is the significance of this log file ?

Jon Naumann Jon.Naumann at ...2805...
Thu Sep 20 04:49:02 EDT 2001


Greetings from a newbie....

I have been seeing quite a bit of traffic similar to below from my
internal hosts going out.  I have seen some traffic where the source
port increments with each additional target that leads me to believe
that a port scan is in progress.  I am not understanding the
significance of the source port not changing.  I haven't been able to
turn up anything about UDP port 1227 in any lis of trojans nor in the
IANA/RFC's defining what should be on that port.

Can anyone shed some light ?

02:58:45 xx.xx.201.42:1227 -> 63.57.15.70:2619 UDP
02:58:45 xx.xx.201.42:1227 -> 165.247.89.101:1157 UDP
02:58:45 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP
02:58:46 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:58:45 xx.xx.201.42:1227 -> 149.159.62.152:2254 UDP
02:58:48 xx.xx.201.42:1227 -> 165.247.89.101:1157 UDP
02:58:48 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:58:47 xx.xx.201.42:1227 -> 63.57.15.70:2619 UDP
02:58:48 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP
02:58:48 xx.xx.201.42:1227 -> 149.159.62.152:2254 UDP
02:58:51 xx.xx.201.42:1227 -> 165.247.89.101:1157 UDP
02:58:51 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP
02:58:50 xx.xx.201.42:1227 -> 149.159.62.152:2254 UDP
02:58:51 xx.xx.201.42:1227 -> 63.57.15.70:2619 UDP
02:58:51 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:58:54 xx.xx.201.42:1227 -> 63.57.15.70:2619 UDP
02:58:54 xx.xx.201.42:1227 -> 165.247.89.101:1157 UDP
02:58:54 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP
02:58:54 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:58:54 xx.xx.201.42:1227 -> 149.159.62.152:2254 UDP
02:58:57 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:58:57 xx.xx.201.42:1227 -> 63.57.15.70:2619 UDP
02:58:57 xx.xx.201.42:1227 -> 165.247.89.101:1157 UDP
02:58:57 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP
02:58:57 xx.xx.201.42:1227 -> 149.159.62.152:2254 UDP
02:59:00 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:59:00 xx.xx.201.42:1227 -> 63.57.15.70:2619 UDP
02:59:00 xx.xx.201.42:1227 -> 149.159.62.152:2254 UDP
02:59:00 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP
02:58:59 xx.xx.201.42:1227 -> 165.247.89.101:1157 UDP
02:59:03 xx.xx.201.42:1227 -> 63.57.15.70:2619 UDP
02:59:03 xx.xx.201.42:1227 -> 149.159.62.152:2254 UDP
02:59:03 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:59:03 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP
02:59:01 xx.xx.201.42:2346 -> 194.251.249.103:27243 UDP
02:59:02 xx.xx.201.42:1227 -> 165.247.89.101:1157 UDP
02:59:06 xx.xx.201.42:1227 -> 63.194.22.174:1174 UDP
02:59:06 xx.xx.201.42:1227 -> 151.202.96.84:2588 UDP

Thanks in advance,

Jon Naumann





More information about the Snort-users mailing list