[Snort-users] Morpheus traffic classified as Vecna scan

francisv at ...6732... francisv at ...6732...
Wed Sep 4 18:40:03 EDT 2002


Hi,

I was just wondering why Morpheus traffic is being tagged as Vecna stealth
scan. Here's the traffic:

Generated by ACID v0.9.6b21 on Thu September 05, 2002 09:37:12
----------------------------------------------------------------------------
--
#(2 - 271994) [2002-09-02 00:19:22]  spp_stream4: STEALTH ACTIVITY (Vecna
scan) detection
IPv4: 148.63.153.164 -> 202.xxx.xxx.68
      hlen=5 TOS=0 dlen=158 ID=26151 flags=0 offset=0 TTL=56 chksum=17327
TCP:  port=4852 -> dport: 6346  flags=****P*** seq=4066800650
      ack=0 off=5 res=1 win=8192 urp=0 chksum=63382
Payload:  length = 118

000 : 47 4E 55 54 45 4C 4C 41 20 43 4F 4E 4E 45 43 54   GNUTELLA CONNECT
010 : 2F 30 2E 36 0D 0A 55 73 65 72 2D 41 67 65 6E 74   /0.6..User-Agent
020 : 3A 20 4D 6F 72 70 68 65 75 73 20 32 2E 30 2E 31   : Morpheus 2.0.1
030 : 2E 34 0D 0A 58 2D 55 6C 74 72 61 70 65 65 72 3A   .4..X-Ultrapeer:
040 : 20 46 61 6C 73 65 0D 0A 52 45 51 55 45 53 54 54    False..REQUESTT
050 : 45 53 54 43 4F 4E 4E 3A 20 37 30 38 31 0D 0A 4C   ESTCONN: 7081..L
060 : 69 73 74 65 6E 69 6E 67 50 6F 72 74 20 3A 37 30   isteningPort :70
070 : 38 31 0D 0A 0D 0A                                 81....




More information about the Snort-users mailing list