RE: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000

From: Alex Polevoy <aspolevoy(at)shiloh.com>
Date: Tue Feb 18 2003 - 14:06:16 EST

My IDS registered same alerts at 21:53 2003-02-17.

>>> "Everist, Benjamin S. (NASWI)" <EveristB@naswi.navy.mil> 02/18/03 01:11pm >>>
same here, 149 alerts, same host, same alert. 149 destinations, first/
last: 2003-02-17 13:58:06 2003-02-17 13:58:07

-----Original Message-----
From: Jeff Kell [mailto:jeff-kell@utc.edu] Sent: Monday, February 17, 2003 10:57 PM To: Michael Scheidell
Cc: Bob Dehnhardt; 'Snort Users List'; baldwinl@mynetwatchman.com Subject: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000

Michael Scheidell wrote:

> > Has anyone else seen any tcp scans with both source and
destination
ports of
> > 13000, SYN flag set, and a sequence ID of 674711609?

I had 1702 hits in one tarpit, let me see if they're still stuck... nope, but they should have been reported to DShield... yes!

source port = 13000, dest port = 13000

Source: 128.59.52.11 = mrl-sgi.mech.columbia.edu

Ended about 21:59 (UTC? Not sure what DShield reports)

Jeff

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Tue Feb 18 14:25:13 2003