[Snort-users] Portscans noted

Scott Fringer fringsm at ...5133...
Fri Jan 31 04:55:06 EST 2003


Gordon,
  A good place to get a start on tracking down those various ports is:

http://andrew.triumf.ca/cgi-bin/port

Scott

Scott Fringer                              Shands Healthcare @ U.F.
Network Systems Analyst                        Gainesville, FL

On Fri, 31 Jan 2003, Gordon Cunningham wrote:

> This looks like a deliberate scan for specific vulnerabilities.  Does anyone
> know what the various non-standard ports are they are scanning?  Many are
> coming up unknown.
>
> 01/31-06:59:32.676595  TCP src: x.x.x.x dst: x.x.x.x sport: 1542 dport:
> 44134 tgts: 1 ports: 21 flags: *****R** event_id: 0
> 01/31-06:59:32.776614  TCP src: x.x.x.x dst: x.x.x.x sport: 865 dport: 43367
> tgts: 1 ports: 22 flags: *****R** event_id: 237
> 01/31-06:59:32.976614  TCP src: x.x.x.x dst: x.x.x.x sport: 588 dport: 44137
> tgts: 1 ports: 23 flags: *****R** event_id: 237
> 01/31-06:59:33.276653  TCP src: x.x.x.x dst: x.x.x.x sport: 369 dport: 44140
> tgts: 1 ports: 24 flags: *****R** event_id: 237
> 01/31-06:59:33.476657  TCP src: x.x.x.x dst: x.x.x.x sport: 3456 dport:
> 44142 tgts: 1 ports: 25 flags: *****R** event_id: 237
> 01/31-06:59:33.576673  TCP src: x.x.x.x dst: x.x.x.x sport: 342 dport: 44143
> tgts: 1 ports: 26 flags: *****R** event_id: 237
> 01/31-06:59:34.876790  TCP src: x.x.x.x dst: x.x.x.x sport: 1404 dport:
> 43900 tgts: 1 ports: 27 flags: *****R** event_id: 237
> 01/31-06:59:34.976852  TCP src: x.x.x.x dst: x.x.x.x sport: 7006 dport:
> 43901 tgts: 1 ports: 28 flags: *****R** event_id: 237
> 01/31-06:59:35.176828  TCP src: x.x.x.x dst: x.x.x.x sport: 981 dport: 43903
> tgts: 1 ports: 29 flags: *****R** event_id: 237
> 01/31-06:59:35.276847  TCP src: x.x.x.x dst: x.x.x.x sport: 361 dport: 43904
> tgts: 1 ports: 30 flags: *****R** event_id: 237
> 01/31-06:59:38.577182  TCP src: x.x.x.x dst: x.x.x.x sport: 22321 dport:
> 43937 tgts: 1 ports: 31 flags: *****R** event_id: 237
>
>
>
> - Gordon
>
>
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list