[Snort-users] Portscans noted

Ricardo, Gerson gricardo at ...8098...
Fri Jan 31 05:01:08 EST 2003


You can do a bit of research on port assignments, port lists such as ( http://www.graffiti.com/services ) allow for quick cross reference checks for any given port.  For example, the source (host requesting a service in this case) port 1542 port is generally mapped for gridgen-elmd comms.  Be more interested in the payload, though - there's where you can see what message the originator of the packet tried to get accross. Lots of script kiddie apps out there can mask services for a variety of reasons.

Cheers,

/gjr


-----Original Message-----
From: Gordon Cunningham [mailto:gcunnin2 at ...163...]
Sent: Friday, January 31, 2003 7:29 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Portscans noted


This looks like a deliberate scan for specific vulnerabilities.  Does anyone
know what the various non-standard ports are they are scanning?  Many are
coming up unknown.

01/31-06:59:32.676595  TCP src: x.x.x.x dst: x.x.x.x sport: 1542 dport:
44134 tgts: 1 ports: 21 flags: *****R** event_id: 0
01/31-06:59:32.776614  TCP src: x.x.x.x dst: x.x.x.x sport: 865 dport: 43367
tgts: 1 ports: 22 flags: *****R** event_id: 237
01/31-06:59:32.976614  TCP src: x.x.x.x dst: x.x.x.x sport: 588 dport: 44137
tgts: 1 ports: 23 flags: *****R** event_id: 237
01/31-06:59:33.276653  TCP src: x.x.x.x dst: x.x.x.x sport: 369 dport: 44140
tgts: 1 ports: 24 flags: *****R** event_id: 237
01/31-06:59:33.476657  TCP src: x.x.x.x dst: x.x.x.x sport: 3456 dport:
44142 tgts: 1 ports: 25 flags: *****R** event_id: 237
01/31-06:59:33.576673  TCP src: x.x.x.x dst: x.x.x.x sport: 342 dport: 44143
tgts: 1 ports: 26 flags: *****R** event_id: 237
01/31-06:59:34.876790  TCP src: x.x.x.x dst: x.x.x.x sport: 1404 dport:
43900 tgts: 1 ports: 27 flags: *****R** event_id: 237
01/31-06:59:34.976852  TCP src: x.x.x.x dst: x.x.x.x sport: 7006 dport:
43901 tgts: 1 ports: 28 flags: *****R** event_id: 237
01/31-06:59:35.176828  TCP src: x.x.x.x dst: x.x.x.x sport: 981 dport: 43903
tgts: 1 ports: 29 flags: *****R** event_id: 237
01/31-06:59:35.276847  TCP src: x.x.x.x dst: x.x.x.x sport: 361 dport: 43904
tgts: 1 ports: 30 flags: *****R** event_id: 237
01/31-06:59:38.577182  TCP src: x.x.x.x dst: x.x.x.x sport: 22321 dport:
43937 tgts: 1 ports: 31 flags: *****R** event_id: 237



- Gordon





-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list