[Snort-users] redworm sanity check

John Hally JHally at ...5637...
Sat Jun 8 15:02:03 EDT 2002


I'm looking over some detects I pulled down from the net, and I see a lot of
activity bewteen hosts using a source and destination port of 65535.  I know
that code red/adore worm opened a back door on this port, but I had thought
that it only listened on this port, and not communicated with other infected
hosts on the same port.  does that make sense?  I've been looking at these
traces a while, and starting to burn out, I just wanted to get a sanity


04/01-08:10:28.570578 [**] High port 65535 udp - possible Red Worm - traffic
[**] xxx.xxx.6.49:65535 -> xxx.xxx.152.181:65535

thanks in advance.

More information about the Snort-users mailing list