[Snort-users] Proxy Scanner?

John McCain jmccain at ...7336...
Fri Dec 20 07:38:02 EST 2002

I've seen this quite a bit.  Exactly the same type of scan against
exactly the same target ports.  I believe that the use of port 0 as the
source port is an attempt to evade firewall rules which apply to ports
1-65535.  Are you able/willing to discuss the origin of these scans?  I
would, but I don't remember the exact addresses, and wouldn't want to
implicate the innocent.

I think we should go back through our logs and compare notes, however.

On Fri, 2002-12-20 at 08:29, Sylar, John wrote:
> Lately, I'm seeing this sort of scan alot, from assorted netblocks. Doesn't
> seem to correlate to the Incidents site.
> While the source port is not always 0, the destination ports are always the
> same, in the same order.
> Does anyone know what tool this might be? Or have some pointers to
> references for reading?
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:1080 SYN ******S*
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:3128 SYN ******S*
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:8000 SYN ******S*
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:80 SYN ******S*
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:8080 SYN ******S*
> Thanks and best regards,
> Sam
> -------------------------------------------------------
> This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
> Time is running out!  Thinkgeek.com has the coolest gifts for
> your favorite geek.   Let your fingers do the typing.   Visit Now.
> T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list