Snort mailing list archives

Previous By Date Next
Previous By Thread Next

what does this probe stand for ?

From: "Jose Miguel Varet" <varet () esatt com>
Date: Sun, 1 Jul 2001 16:19:09 +0200
Hello !

while reviewing a bit some of my portscan plugin log files, I've found many
portscan alarms that will show like these :

-----------------------------------------------------------------
(1)Jul  1 22:32:43 62.22.10.76:18245 -> 195.219.113.15:21536 NOACK *2U*PRS*
RESERVEDBITS
(1)Jul  1 22:32:43 62.22.10.76:18245 -> 195.219.113.15:21536 VECNA *2U*P***
RESERVEDBITS

(2)Jul  1 22:27:40 212.106.240.52:1051 -> 195.219.113.5:80 SYN ******S*
(2)Jul  1 22:27:40 212.106.240.52:18245 -> 195.219.113.5:21536 XMAS *2U*P**F
RESERVEDBITS

(3)Jul  1 22:21:18 212.106.229.55:1144 -> 195.219.113.15:80 SYN ******S*
(3)Jul  1 22:21:18 212.106.229.55:18245 -> 195.219.113.15:21536 NOACK
*2U*PRS* RESERVEDBITS

(4)Jul  1 22:05:51 212.106.240.235:1048 -> 195.219.113.5:80 SYN ******S*
(4)Jul  1 22:05:52 212.106.240.235:18245 -> 195.219.113.5:21536 XMAS
*2U*P**F RESERVEDBITS
-----------------------------------------------------------------

The share in common a strange probe to port 21536. It should be noted that
the remote port is always the same too (18245) regardless of the remote
machine. Althought in this example you see that 3 of the scans come from the
same B-class network, there are other similar scans which come from totally
different networks ( see (1), for example ). I haven't been able to find
something about that port (21536), nor do I know if this could be some kinda
of trojan which is looking for itself in remote machines.
This scan alarm is being generated at a quick rate, at least three or four
times a minute. Before placing an ignore_portscan to this kind of alarm, I'd
like to hear your opinions about this issue. Is this a false positive, a
trojan being, a real scan... or what ?
Many thanks in advance.


                Jose,




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: