Snort mailing list archives
Strange scan
From: Michael Schwartzkopff <misch () mail multinet de>
Date: Mon, 21 Jan 2002 13:30:41 +0100
Hi, I get some strange scans for some weeks now. The scans would not stop so I decided to investigate it further and did set up some tcpdump. Please see the file attached. Can please someone help me to explain the aim of this scan ? There are some strange things in this scan: 1) The scan originates from a private IP Adress, but it is a TCP SYN scan. So the scanner wants an answer, but this should be difficult using a private source address in the internet. 2) When he wants to get the answer he should be located somewhere close to our net to catch the answer of our system. But the TTL of 241 tells me the he is most propably 14 hops (255 - 241) away. That soome to be far for an answer to a private IP address. 3) Can somebody explain what OS is running with that characteristics ? Thanks for any help. -- Dr. Michael Schwartzkopff Multinet GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 50 Fax: (+49 89) 456 911 21
Attachment:
192.168.50.36.txt
Description:
Current thread:
- Strange scan Michael Schwartzkopff (Jan 21)
- Re: Strange scan Corne van Strien (Jan 21)