Snort mailing list archives

Previous By Date Next
Previous By Thread Next

DNS server receiving NMAP scans

From: john.ruff () us abb com
Date: Wed, 22 Aug 2001 13:15:49 -0400


I'm questioning whether the following entries in my 'alert_fast' log are valid.
Below see the alert_fast entries and TCPdump info.  I've got 61 instances of
this alert since 8/10/2001. The sources are the following 6 IPs outside my
network (64.124.150.2, 209.135.37.205, 63.211.17.228, 200.52.109.160,
64.152.70.68, 200.52.103.160).

[.....SNIP.....]
08/22-12:47:52.570484  [**] [1:628:1] SCAN nmap TCP [**] [Classification:
Attempted Information Leak] [Priority: 3] {TCP} 64.124.150.2:53 ->
xxx.xxx.90.5:53
08/22-12:47:52.575768  [**] [1:628:1] SCAN nmap TCP [**] [Classification:
Attempted Information Leak] [Priority: 3] {TCP} 64.124.150.2:80 ->
xxx.xxx.90.5:53
[.....END SNIP.....]


[.....SNIP.....]
        --== Initializing Snort ==--
TCPDUMP file reading mode.
Reading network traffic from "snort-0822 () 1229 log" file.
snaplen = 1514

        --== Initialization Complete ==--
08/22-12:47:52.570484 64.124.150.2:53 -> xxx.xxx.90.5:53
TCP TTL:45 TOS:0x0 ID:65172 IpLen:20 DgmLen:40
***A**** Seq: 0x216  Ack: 0x0  Win: 0x578  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/22-12:47:52.575768 64.124.150.2:80 -> xxx.xxx.90.5:53
TCP TTL:45 TOS:0x0 ID:65171 IpLen:20 DgmLen:40
***A**** Seq: 0x215  Ack: 0x0  Win: 0x578  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[.....END SNIP.....]



Regards,
John Ruff

"Shortcuts make for long delays." - J.R.R. Tolken



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: