[Snort-users] p2p scans showing up as SCAN FIN and SCAN NMAP ??

John York YorkJ at ...7109...
Wed Nov 12 06:12:02 EST 2003


Lately I've been getting a couple thousand hits a day on SCAN FIN and
some on SCAN NMAP.  They usually come in blocks of 4, and the port
numbers seem to indicate gnutella.  Are these coming from gnutella
clients?
Thanks
John

11/12-02:39:31.268287 	SCAN FIN	TCP	213.58.88.126	51494
x.x.x.195	16623
11/12-02:39:31.268279 	SCAN FIN	TCP	213.58.88.126	51494
x.x.x.195	16623
11/12-02:39:31.274337 	SCAN FIN	TCP	213.58.88.126	51494
x.x.x.195	16623
11/12-02:39:31.274343 	SCAN FIN	TCP	213.58.88.126	51494
x.x.x.195	16623
11/12-02:40:00.862726 	SCAN FIN	TCP	24.193.12.18	60281
x.x.x.195	16623
11/12-02:40:00.862718 	SCAN FIN	TCP	24.193.12.18	60281
x.x.x.195	16623
11/12-02:40:00.866999 	SCAN FIN	TCP	24.193.12.18	60281
x.x.x.195	16623
11/12-02:40:00.867007 	SCAN FIN	TCP	24.193.12.18	60281
x.x.x.195	16623
11/12-02:42:59.535692 	SCAN FIN	TCP	64.65.91.19	4498
x.x.x.47	6346
11/12-02:42:59.539795 	SCAN FIN	TCP	64.65.91.19	4498
x.x.x.47	6346
11/12-02:45:47.461893 	SCAN FIN	TCP	128.172.210.139	50212
x.x.x.193	13547
11/12-02:45:47.461885 	SCAN FIN	TCP	128.172.210.139	50212
x.x.x.193	13547
11/12-02:46:08.314505 	SCAN FIN	TCP	67.68.47.192	33449
x.x.x.49	6346
11/12-02:47:37.653656 	SCAN FIN	TCP	134.126.203.25	56027
x.x.x.31	6346
11/12-02:48:55.756787 	SCAN FIN	TCP	209.208.227.71	62766
x.x.x.31	6346
11/12-02:53:45.302211 	SCAN FIN	TCP	67.50.233.248	58345
x.x.x.31	6346
11/12-02:53:45.302521 	SCAN FIN	TCP	67.50.233.248	58345
x.x.x.31	6346
11/12-02:53:46.745392 	SCAN FIN	TCP	66.91.19.13	53289
x.x.x.176	6346
11/12-02:53:46.745461 	SCAN FIN	TCP	66.91.19.13	53289
x.x.x.176	6346
11/12-02:53:46.745383 	SCAN FIN	TCP	66.91.19.13	53289
x.x.x.176	6346
11/12-02:53:46.745453 	SCAN FIN	TCP	66.91.19.13	53289
x.x.x.176	6346

11/12-02:43:51.881522 	SCAN nmap TCP	TCP	64.119.138.2	80
x.x.x.176	6346
11/12-05:34:57.133148 	SCAN nmap TCP	TCP	64.119.138.2	80
x.x.x.176	6346
11/12-05:34:57.133155 	SCAN nmap TCP	TCP	64.119.138.2	80
x.x.x.176	6346
11/12-05:35:02.151291 	SCAN nmap TCP	TCP	64.119.138.2	80
x.x.x.176	6346
11/12-05:35:02.151284 	SCAN nmap TCP	TCP	64.119.138.2	80
x.x.x.176	6346
11/12-05:35:07.339134 	SCAN nmap TCP	TCP	209.6.58.139	80
x.x.x.176	6346
11/12-05:35:07.339128 	SCAN nmap TCP	TCP	209.6.58.139	80
x.x.x.176	6346
11/12-05:35:12.787599 	SCAN nmap TCP	TCP	209.6.58.139	80
x.x.x.176	6346
11/12-05:35:12.787607 	SCAN nmap TCP	TCP	209.6.58.139	80
x.x.x.176	6346

John York
Network Engineer
Blue Ridge Community College
1 College Lane, Weyers Cave, VA 24486
540.453.2255





More information about the Snort-users mailing list