Snort mailing list archives
Port 17300 scans
From: "Mark Scott" <mscott () mtgroup com>
Date: Tue, 18 Feb 2003 16:46:26 -0600
For those tracking the 17300 scans, here are some more data on the 17300 scans. I had several nodes that were quickly scanned and the snort data all looked the same. Below are the snort alerts from one of my nodes. Also of interest...... they originated from 3 different IPs (211.199.119.223 [Korea], 61.182.210.111 [China] and 61.182.210.22 [China]) to the very same nodes on my network. Any significance to the fact that the 3 src IP's are hitting the same nodes on the network simultaneously? Regards, Mark Mark Scott Memphis Technology Associates http://mtgroup.com ========================================================================= [**] Port 17300 Scan [**] 02/18/03-16:22:29.625943 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3E 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:19234 IpLen:20 DgmLen:48 DF ******S* Seq: 0x429C8DF Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1422 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:22:29.867155 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:19746 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:22:29.868560 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:20002 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:22:29.869628 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:20258 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:22:32.800830 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:24354 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:22:38.804678 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:39714 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:22:50.802199 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:60194 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:23:14.853085 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:55075 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:24:02.882797 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:56101 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Port 17300 scans Mark Scott (Feb 18)