Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Strange packets (IDS28/probe-nmap_tcp_ping)

From: Wozz <wozz+incidents () WOOKIE NET>
Date: Mon, 5 Feb 2001 12:35:21 -0700
I've received some strange packets the last few days on one of my IDS sensors.

I assume these were generated by nmap -g 80.  Whats curious to me is how slow and
random the scan appears.   It hits a few IP's more than once, hits a few random
high level ports.  There seems to be no sense to it.  Has anyone seen similar
traffic?  Any thoughts as to what they're trying to accomplish?

[**] IDS28/probe-nmap_tcp_ping [**]
02/05-02:47:51.939125 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C
63.119.91.2:80 -> a.b.c.168:25 TCP TTL:53 TOS:0x0 ID:5610 IpLen:20 DgmLen:40
***A**** Seq: 0x136  Ack: 0x0  Win: 0x400  TcpLen: 20
--
[**] IDS28/probe-nmap_tcp_ping [**]
02/05-03:21:27.716890 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C
63.119.91.2:80 -> a.b.c.163:25 TCP TTL:53 TOS:0x0 ID:37820 IpLen:20 DgmLen:40
***A**** Seq: 0x1D1  Ack: 0x0  Win: 0x400  TcpLen: 20
--
[**] IDS28/probe-nmap_tcp_ping [**]
02/04-04:43:25.631670 0:B0:4A:9B:D0:38 -> 8:0:20:C2:1A:58 type:0x800 len:0x3C
63.119.91.2:80 -> a.b.c.42:38838 TCP TTL:53 TOS:0x0 ID:38476 IpLen:20 DgmLen:40
***A**** Seq: 0x33  Ack: 0x0  Win: 0x400  TcpLen: 20
--
[**] IDS28/probe-nmap_tcp_ping [**]
02/04-17:47:00.024980 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C
63.119.91.2:80 -> a.b.c.192:25 TCP TTL:53 TOS:0x0 ID:53792 IpLen:20 DgmLen:40
***A**** Seq: 0x30B  Ack: 0x0  Win: 0x400  TcpLen: 20
--
[**] IDS28/probe-nmap_tcp_ping [**]
02/04-21:51:38.517553 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C
63.119.91.2:80 -> a.b.c.192:25 TCP TTL:53 TOS:0x0 ID:36244 IpLen:20 DgmLen:40
***A**** Seq: 0x3A3  Ack: 0x0  Win: 0x400  TcpLen: 20
--
[**] IDS28/probe-nmap_tcp_ping [**]
02/05-01:38:40.551743 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C
63.119.91.2:80 -> a.b.c.192:25 TCP TTL:53 TOS:0x0 ID:106 IpLen:20 DgmLen:40
***A**** Seq: 0x23F  Ack: 0x0  Win: 0x400  TcpLen: 20
--
[**] IDS28/probe-nmap_tcp_ping [**]
02/03-04:25:37.056448 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C
63.119.91.2:80 -> a.b.c.163:25 TCP TTL:53 TOS:0x0 ID:61412 IpLen:20 DgmLen:40
***A**** Seq: 0x388  Ack: 0x0  Win: 0x400  TcpLen: 20
--
[**] IDS28/probe-nmap_tcp_ping [**]
02/03-15:22:45.495337 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C
63.119.91.2:80 -> a.b.c.192:25 TCP TTL:53 TOS:0x0 ID:32070 IpLen:20 DgmLen:40
***A**** Seq: 0x1B0  Ack: 0x0  Win: 0x400  TcpLen: 20
--
[**] IDS28/probe-nmap_tcp_ping [**]
02/03-21:49:08.168186 0:B0:4A:9B:D0:38 -> 8:0:20:C2:1A:58 type:0x800 len:0x3C
63.119.91.2:80 -> a.b.c.42:26291 TCP TTL:53 TOS:0x0 ID:25314 IpLen:20 DgmLen:40
***A**** Seq: 0x2B6  Ack: 0x0  Win: 0x400  TcpLen: 20
--
[**] IDS28/probe-nmap_tcp_ping [**]
02/02-21:01:28.924438 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C
63.119.91.2:80 -> a.b.c.188:25 TCP TTL:53 TOS:0x0 ID:43108 IpLen:20 DgmLen:40
***A**** Seq: 0x143  Ack: 0x0  Win: 0x400  TcpLen: 20
Previous By Date Next
Previous By Thread Next

Current thread: