[Snort-users] Shaft?

J. Craig Woods drjung at ...5405...
Fri Aug 23 19:20:03 EDT 2002


No, not the movie. The trojan. I was wondering if anyone on the list has
run into the log entry:

Aug 21 16:32:47 lincoln snort: [1:241:2] DDOS shaft synflood
[Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
195.27.218.62:13000 -> X.X.X.X:13000
Aug 22 04:39:18 lincoln snort: [1:241:2] DDOS shaft synflood
[Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
195.27.218.62:6000 -> X.X.X.X:6000

I have left in the source ip because it is important in understanding
this alert. A simple whois will show this ip to be in the RIPE netblock.
It also has no reverse dns configured. Yes, it might very well be
spoofed or a false positive. 

I have checked out all of my security on my server, and things look
intact, and I can not find any penetration. I was hoping someone might
have some thoughts on this alert or maybe you can point me in the right
direction. Of course, neither of these ports are open to the internet. I
have ipchains logging for attempts on port 6000(X), and it clearly shows
a DENY on that one. No logging on 13000 but it is filtered (strange port
to be probing, yes?)

Thanks for any assistance,
drjung

-- 
J. Craig Woods
UNIX Network/System Administration
http://www.trismegistus.net/resume.html
Character is built upon the debris of despair --Emerson




More information about the Snort-users mailing list