[Snort-users] spp_portscan2 and UDP

Kenton Smith ksmith at ...8120...
Tue Jan 28 08:35:04 EST 2003


I have a machine running MS SQL on my network. It is patched against the
Slammer vulnerability and checks out when I run the Symantec fixsql tool
on it. However it is sending out packets at a consistent rate. I
couldn't figure out what it was doing until I looked at Snort and found
the 300+ entries like the following:

[**] [117:1:1] (spp_portscan2) Portscan detected from [my.sql.server]: 6
targets 6  ports in 0 seconds [**]
01/27-15:43:50.898738 0:50:DA:B9:75:49 -> 1:0:5E:6D:C6:FC type:0x800
len:0x1A2 xxx.xxx.xxx.xxx:1303 -> xxx.xxx.xxx.xxx:1434 UDP TTL:1 TOS:0x0
ID:29272 IpLen:20 DgmLen:404 Len: 384


01/27-15:43:50.970576  UDP src: xxx.xxx.xxx.xxx dst: xxx.xxx.xxx.xxx
sport: 1303 dport: 1434 tgts: 8 ports: 8 event_id: 6

The source is my server and it's going to seemingly random destinations.
I have since disconnected it, but I think it is infected with the worm.
I've rebooted and it comes back shortly after restart. I can't confirm
what the spp_portscan2 is, can anyone tell me? Oddly none of the dports
are UDP 1433, they are all 1434.

Any thoughts?

Thanks,
Kenton Smith






More information about the Snort-users mailing list