Hosting Provided By

RE: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000

From: Everist, Benjamin S. (NASWI) <EveristB(at)naswi.navy.mil>
Date: Tue Feb 18 2003 - 13:11:43 EST

same here, 149 alerts, same host, same alert. 149 destinations, first/ last: 2003-02-17 13:58:06 2003-02-17 13:58:07

-----Original Message-----
From: Jeff Kell [mailto:jeff-kell@utc.edu] Sent: Monday, February 17, 2003 10:57 PM To: Michael Scheidell
Cc: Bob Dehnhardt; 'Snort Users List'; baldwinl@mynetwatchman.com Subject: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000

Michael Scheidell wrote:

> > Has anyone else seen any tcp scans with both source and destination
ports of
> > 13000, SYN flag set, and a sequence ID of 674711609?
>
> Yep, coming out of columbia.edu.

I had 1702 hits in one tarpit, let me see if they're still stuck... nope, but they should have been reported to DShield... yes!

source port = 13000, dest port = 13000

Source: 128.59.52.11 = mrl-sgi.mech.columbia.edu

Ended about 21:59 (UTC? Not sure what DShield reports)

Do you need help?

Jeff

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Tue Feb 18 13:27:31 2003

This message: [ Message body ]
Next message: Alex Polevoy: "RE: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000"
Previous message: Ken Gunderson: "Re: [Snort-users] ACID question .."
In reply to Michael Scheidell: "[Snort-users] Re: [Snort-sigs] Scan on tcp 13000"
Reply: Alex Polevoy: "RE: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 11:49:51 EDT