Snort mailing list archives
RE: Re: [Snort-sigs] Scan on tcp 13000
From: "Drew Stockman" <Drew.Stockman () cibmis com>
Date: Tue, 18 Feb 2003 14:17:24 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I too am seeing this type of traffic. I am seeing it coming from 128.83.166.35 and sweeping across one of my IP ranges. This IP resolves to the University of Texas at Austin. Seems t be coming out of the universities, but does anyone know what it is yet? Drew Stockman Security Analyst CIBMIS - -----Original Message----- From: Alex Polevoy [mailto:aspolevoy () shiloh com] Sent: Tuesday, February 18, 2003 1:06 PM To: Snort-users () lists sourceforge net; EveristB () naswi navy mil Subject: RE: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000 My IDS registered same alerts at 21:53 2003-02-17.
"Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil> 02/18/03
01:11pm >>> same here, 149 alerts, same host, same alert. 149 destinations, first/ last: 2003-02-17 13:58:06 2003-02-17 13:58:07 - -----Original Message----- From: Jeff Kell [mailto:jeff-kell () utc edu] Sent: Monday, February 17, 2003 10:57 PM To: Michael Scheidell Cc: Bob Dehnhardt; 'Snort Users List'; baldwinl () mynetwatchman com Subject: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000 Michael Scheidell wrote:
Has anyone else seen any tcp scans with both source and
destination ports of
13000, SYN flag set, and a sequence ID of 674711609?Yep, coming out of columbia.edu.
I had 1702 hits in one tarpit, let me see if they're still stuck... nope, but they should have been reported to DShield... yes! source port = 13000, dest port = 13000 Source: 128.59.52.11 = mrl-sgi.mech.columbia.edu Ended about 21:59 (UTC? Not sure what DShield reports) Jeff - ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPlKU1DK/qMtUmsxZEQL17gCgzWi/v93DL81LxclMD2x9VHnjkdsAmgLA 45t0K3Vy/JmyJGQs0t4nvgEA =MT2n -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: [Snort-sigs] Scan on tcp 13000 Scheidell (Feb 18)
- <Possible follow-ups>
- RE: Re: [Snort-sigs] Scan on tcp 13000 Everist, Benjamin S. (NASWI) (Feb 18)
- RE: Re: [Snort-sigs] Scan on tcp 13000 Alex Polevoy (Feb 18)
- RE: Re: [Snort-sigs] Scan on tcp 13000 Drew Stockman (Feb 18)
- RE: Re: [Snort-sigs] Scan on tcp 13000 Miller, Eoin (Feb 18)
- RE: Re: [Snort-sigs] Scan on tcp 13000 twig les (Feb 18)