Snort mailing list archives
what does this probe stand for ?
From: "Jose Miguel Varet" <varet () esatt com>
Date: Sun, 1 Jul 2001 16:19:09 +0200
Hello ! while reviewing a bit some of my portscan plugin log files, I've found many portscan alarms that will show like these : ----------------------------------------------------------------- (1)Jul 1 22:32:43 62.22.10.76:18245 -> 195.219.113.15:21536 NOACK *2U*PRS* RESERVEDBITS (1)Jul 1 22:32:43 62.22.10.76:18245 -> 195.219.113.15:21536 VECNA *2U*P*** RESERVEDBITS (2)Jul 1 22:27:40 212.106.240.52:1051 -> 195.219.113.5:80 SYN ******S* (2)Jul 1 22:27:40 212.106.240.52:18245 -> 195.219.113.5:21536 XMAS *2U*P**F RESERVEDBITS (3)Jul 1 22:21:18 212.106.229.55:1144 -> 195.219.113.15:80 SYN ******S* (3)Jul 1 22:21:18 212.106.229.55:18245 -> 195.219.113.15:21536 NOACK *2U*PRS* RESERVEDBITS (4)Jul 1 22:05:51 212.106.240.235:1048 -> 195.219.113.5:80 SYN ******S* (4)Jul 1 22:05:52 212.106.240.235:18245 -> 195.219.113.5:21536 XMAS *2U*P**F RESERVEDBITS ----------------------------------------------------------------- The share in common a strange probe to port 21536. It should be noted that the remote port is always the same too (18245) regardless of the remote machine. Althought in this example you see that 3 of the scans come from the same B-class network, there are other similar scans which come from totally different networks ( see (1), for example ). I haven't been able to find something about that port (21536), nor do I know if this could be some kinda of trojan which is looking for itself in remote machines. This scan alarm is being generated at a quick rate, at least three or four times a minute. Before placing an ignore_portscan to this kind of alarm, I'd like to hear your opinions about this issue. Is this a false positive, a trojan being, a real scan... or what ? Many thanks in advance. Jose, _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- what does this probe stand for ? Jose Miguel Varet (Jul 01)