Snort mailing list archives
Scan on tcp 13000
From: Bob Dehnhardt <bob.dehnhardt () trinet com>
Date: Mon, 17 Feb 2003 15:31:52 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Has anyone else seen any tcp scans with both source and destination ports of 13000, SYN flag set, and a sequence ID of 674711609? My sensors are catching it as a Shaft synflood because of the sequence ID, but the traffic pattern is more like a sweep - single source, 1 packet each to 119 sequential destinations. No other traffic from this source, I can't find any info on tcp 13000. I'm ready to write it off as a very strange (and singularly unproductive) tcp ping sweep, but thought I should check with the community-at-large first.... Thanks. - Bob Bob Dehnhardt IT Operations Manager - Reno TriNet (775) 327-6407 -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPlFxBYDecwvqDmutEQLgpgCg1Z8cSDhSbb9OF4Go72eQgE6GSNgAoOwo 9a0shyhclHLrm3//ci0phxCU =MTxc -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Scan on tcp 13000 Bob Dehnhardt (Feb 17)
- Re: [Snort-sigs] Scan on tcp 13000 Michael Scheidell (Feb 17)
- Re: [Snort-sigs] Scan on tcp 13000 Jeff Kell (Feb 17)
- Re: [Snort-sigs] Scan on tcp 13000 Michael Scheidell (Feb 17)