Snort mailing list archives

RE: Re: [Snort-sigs] Scan on tcp 13000

From: "Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil>
Date: Tue, 18 Feb 2003 10:11:43 -0800

same here, 149 alerts, same host, same alert.  149 destinations, first/
last: 2003-02-17 13:58:06  2003-02-17 13:58:07

-----Original Message-----
From: Jeff Kell [mailto:jeff-kell () utc edu]
Sent: Monday, February 17, 2003 10:57 PM
To: Michael Scheidell
Cc: Bob Dehnhardt; 'Snort Users List'; baldwinl () mynetwatchman com
Subject: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000


Michael Scheidell wrote:

Has anyone else seen any tcp scans with both source and destination

ports of

13000, SYN flag set, and a sequence ID of 674711609?


Yep, coming out of columbia.edu.


I had 1702 hits in one tarpit, let me see if they're still stuck...
nope, but they should have been reported to DShield... yes!

source port = 13000, dest port = 13000

Source:  128.59.52.11 = mrl-sgi.mech.columbia.edu

Ended about 21:59 (UTC? Not sure what DShield reports)

Jeff

Current thread:

RE: [Snort-sigs] Scan on tcp 13000 Scheidell (Feb 18)
- <Possible follow-ups>
- RE: Re: [Snort-sigs] Scan on tcp 13000 Everist, Benjamin S. (NASWI) (Feb 18)
- RE: Re: [Snort-sigs] Scan on tcp 13000 Alex Polevoy (Feb 18)
- RE: Re: [Snort-sigs] Scan on tcp 13000 Drew Stockman (Feb 18)
- RE: Re: [Snort-sigs] Scan on tcp 13000 Miller, Eoin (Feb 18)
  - RE: Re: [Snort-sigs] Scan on tcp 13000 twig les (Feb 18)