Security Incidents mailing list archives
[no subject]
From: Wozz <wozz+incidents () WOOKIE NET>
Date: Fri, 9 Feb 2001 15:32:42 -0700
Any idea what would generate the following alerts? I don't think its just nmap and I'm trying to figure out what they're trying to accomplish: [**] IDS28/probe-nmap_tcp_ping [**] 02/09-09:19:12.942288 0:B0:4A:9B:D0:38 -> 8:0:20:C2:1A:58 type:0x800 len:0x3C 194.133.58.129:80 -> a.b.c.42:53 TCP TTL:51 TOS:0x0 ID:13740 IpLen:20 DgmLen:40 ***A**** Seq: 0x1BF Ack: 0x0 Win: 0x578 TcpLen: 20 [**] IDS7/SourcePortTraffic-53-tcp [**] 02/09-09:19:12.942337 0:B0:4A:9B:D0:38 -> 8:0:20:C2:1A:58 type:0x800 len:0x3C 194.133.58.129:53 -> a.b.c.42:53 TCP TTL:51 TOS:0x0 ID:13741 IpLen:20 DgmLen:40 ******S* Seq: 0x6ACADDF Ack: 0x0 Win: 0x578 TcpLen: 20 What I'm curious about is why the change in source ports on the probing system. I'm seeing this from several different sources (8 to be exact), so its obviously some widespread tool thats being used. Any idea what it might be? It seems to be targetting two of our whois listed DNS servers.
Current thread:
- [no subject] Wozz (Feb 10)