Firewall Wizards mailing list archives
RE: Traffic identification
From: "Brian A Kee" <bkee () lurhq com>
Date: Thu, 19 Dec 2002 02:48:37 -0500
You can try this nifty port lookup tool: http://www.treachery.net/security_tools/ports/ This resembles a port scan. Notice the source ports are fairly repetetive. Under most normal circumstances the source port numbers would not be so repetetive. I would definitely take a closer look at the host sending this traffic. I have no info on the hosts. BAK -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of W.C. Epperson Sent: Wednesday, December 18, 2002 12:16 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Traffic identification This is a dial-up user on my network trying to get to something I can't identify at an address I can't find out much about. Does anyone recognize the traffic? Or have suggestions on researching this sort of thing? My old ways of searching on port number, etc., turn up so much noise I can't sift through it. Dec 18 08:23:56 denied udp 141.104.10.222(9370) -> 207.114.130.6(375) Dec 18 08:24:56 denied udp 141.104.10.222(9370) -> 207.114.130.7(373) Dec 18 08:25:56 denied udp 141.104.10.222(9370) -> 207.114.130.7(371) Dec 18 08:26:03 denied tcp 141.104.10.222(3030) -> 207.114.130.7(483) Dec 18 08:26:56 denied udp 141.104.10.222(9370) -> 207.114.130.7(376) Dec 18 08:27:10 denied tcp 141.104.10.222(3033) -> 207.114.130.7(481) Dec 18 08:28:03 denied udp 141.104.10.222(9370) -> 207.114.130.7(370) Dec 18 08:29:03 denied udp 141.104.10.222(9370) -> 207.114.130.7(372) Dec 18 08:29:56 denied udp 141.104.10.222(9370) -> 207.114.130.7(373) Dec 18 08:30:15 denied tcp 141.104.10.222(3044) -> 207.114.130.7(482) Dec 18 08:31:56 denied udp 141.104.10.222(9370) -> 207.114.130.7(376) Dec 18 08:32:03 denied udp 141.104.10.222(9370) -> 207.114.130.7(375) Dec 18 08:32:56 denied tcp 141.104.10.222(3033) -> 207.114.130.7(481) Dec 18 08:33:16 denied tcp 141.104.10.222(3052) -> 207.114.130.6(485) Dec 18 08:33:46 denied tcp 141.104.10.222(3053) -> 207.114.130.7(485) Dec 18 08:33:56 denied tcp 141.104.10.222(3036) -> 207.114.130.7(486) Dec 18 08:34:02 denied udp 141.104.10.222(9370) -> 207.114.130.6(370) Dec 18 08:34:56 denied udp 141.104.10.222(9370) -> 207.114.130.6(375) Dec 18 08:35:09 denied tcp 141.104.10.222(3054) -> 207.114.130.7(480) Dec 18 08:35:39 denied tcp 141.104.10.222(3055) -> 207.114.130.6(480) Dec 18 08:35:56 denied tcp 141.104.10.222(3044) -> 207.114.130.7(482) Dec 18 08:37:56 denied udp 141.104.10.222(9370) -> 207.114.130.7(375) Dec 18 08:38:56 denied tcp 141.104.10.222(3052) -> 207.114.130.6(485) Dec 18 08:39:56 denied udp 141.104.10.222(9370) -> 207.114.130.6(370) Dec 18 08:40:56 denied tcp 141.104.10.222(3055) -> 207.114.130.6(480) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Traffic identification W.C. Epperson (Dec 18)
- RE: Traffic identification Brian A Kee (Dec 18)
- RE: Traffic identification Bill Royds (Dec 18)
- RE: Traffic identification Christopher Hicks (Dec 19)
- Re: Traffic identification Jim Seymour (Dec 18)