Snort mailing list archives
DNS server receiving NMAP scans
From: john.ruff () us abb com
Date: Wed, 22 Aug 2001 13:15:49 -0400
I'm questioning whether the following entries in my 'alert_fast' log are valid. Below see the alert_fast entries and TCPdump info. I've got 61 instances of this alert since 8/10/2001. The sources are the following 6 IPs outside my network (64.124.150.2, 209.135.37.205, 63.211.17.228, 200.52.109.160, 64.152.70.68, 200.52.103.160). [.....SNIP.....] 08/22-12:47:52.570484 [**] [1:628:1] SCAN nmap TCP [**] [Classification: Attempted Information Leak] [Priority: 3] {TCP} 64.124.150.2:53 -> xxx.xxx.90.5:53 08/22-12:47:52.575768 [**] [1:628:1] SCAN nmap TCP [**] [Classification: Attempted Information Leak] [Priority: 3] {TCP} 64.124.150.2:80 -> xxx.xxx.90.5:53 [.....END SNIP.....] [.....SNIP.....] --== Initializing Snort ==-- TCPDUMP file reading mode. Reading network traffic from "snort-0822 () 1229 log" file. snaplen = 1514 --== Initialization Complete ==-- 08/22-12:47:52.570484 64.124.150.2:53 -> xxx.xxx.90.5:53 TCP TTL:45 TOS:0x0 ID:65172 IpLen:20 DgmLen:40 ***A**** Seq: 0x216 Ack: 0x0 Win: 0x578 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/22-12:47:52.575768 64.124.150.2:80 -> xxx.xxx.90.5:53 TCP TTL:45 TOS:0x0 ID:65171 IpLen:20 DgmLen:40 ***A**** Seq: 0x215 Ack: 0x0 Win: 0x578 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [.....END SNIP.....] Regards, John Ruff "Shortcuts make for long delays." - J.R.R. Tolken _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS server receiving NMAP scans john . ruff (Aug 22)