Spp_portscan2

["Bell, Josh" <josh.bell () guidancesoftware com>]

I am seeing frequent occurences of the alert below:

[**] [117:1:1] (spp_portscan2) Portscan detected from <inside ip>: 6
targets 6 ports in 28 seconds [**]
01/07-15:45:30.576389 <inside ip>:2403 -> <public ip>:80
TCP TTL:127 TOS:0x0 ID:57864 IpLen:20 DgmLen:48 DF
******S* Seq: 0x737F57F6  Ack: 0x0  Win: 0xFAF0  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

I've observed that this tends to happen when a user launches Internet
Explorer and has their homepage set to the default Microsoft puts in
there.  Does this just have something to do with the redirection they
do?  Or the version check?  Does anybody know for sure?

BTW I'm running Snort 2.0.5 (wow...gotta upgrade) on SuSE 9.

Josh Bell
Manager of I.T.
 
Note:  The information contained in this message may be privileged and confidential and thus protected from disclosure. 
 If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited.  If you have received this communication in error, please notify us immediately 
by replying to the message and deleting it from your computer.  Thank you.



-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users