Hosting Provided By

RE: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000

From: Drew Stockman <Drew.Stockman(at)cibmis.com>
Date: Tue Feb 18 2003 - 15:17:24 EST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I too am seeing this type of traffic. I am seeing it coming from 128.83.166.35 and sweeping across one of my IP ranges. This IP resolves to the University of Texas at Austin. Seems t be coming out of the universities, but does anyone know what it is yet?

Drew Stockman
Security Analyst
CIBMIS

-----Original Message----- From: Alex Polevoy [mailto:aspolevoy@shiloh.com] Sent: Tuesday, February 18, 2003 1:06 PM To: Snort-users@lists.sourceforge.net; EveristB@naswi.navy.mil Subject: RE: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000

My IDS registered same alerts at 21:53 2003-02-17.

>>> "Everist, Benjamin S. (NASWI)" <EveristB@naswi.navy.mil> 02/18/03 01:11pm >>>
same here, 149 alerts, same host, same alert. 149 destinations, first/
last: 2003-02-17 13:58:06 2003-02-17 13:58:07

-----Original Message----- From: Jeff Kell [mailto:jeff-kell@utc.edu] Sent: Monday, February 17, 2003 10:57 PM To: Michael Scheidell Cc: Bob Dehnhardt; 'Snort Users List'; baldwinl@mynetwatchman.com Subject: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000

Michael Scheidell wrote:

> > Has anyone else seen any tcp scans with both source and
destination
ports of
> > 13000, SYN flag set, and a sequence ID of 674711609?
>
> Yep, coming out of columbia.edu.

Do you need help?

I had 1702 hits in one tarpit, let me see if they're still stuck... nope, but they should have been reported to DShield... yes!

source port = 13000, dest port = 13000

Source: 128.59.52.11 = mrl-sgi.mech.columbia.edu

Ended about 21:59 (UTC? Not sure what DShield reports)

Jeff

------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf
Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPlKU1DK/qMtUmsxZEQL17gCgzWi/v93DL81LxclMD2x9VHnjkdsAmgLA 45t0K3Vy/JmyJGQs0t4nvgEA
=MT2n
-----END PGP SIGNATURE-----

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list Received on Tue Feb 18 15:42:33 2003

This message: [ Message body ]
Next message: Charles Darwin: "[Snort-users] Trouble reporting snort logs to dshield in DSHIELD format."
Previous message: Jim Hoagland: "Re: [Snort-users] Windows Binaries @ silicondefense.com ?????"
Maybe in reply to: Michael Scheidell: "[Snort-users] Re: [Snort-sigs] Scan on tcp 13000"
In reply to Alex Polevoy: "RE: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000"
Reply: Miller, Eoin: "RE: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000"
Reply: Miller, Eoin: "RE: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 11:49:51 EDT

Do you need more help?