Snort mailing list archives
Re: 17203 portscan alerts in 23 hours from same IP
From: Jeff Taylor <jeff () austinblues dyndns org>
Date: Wed, 10 Jul 2002 11:45:11 -0500
Some firewall setups (mistakenly IMHO) "trust" accesses from privileged ports (less than 1024). Yes there can be a valid packet from port 80. But without knowing the people on the other end, I would treat it like a vulnerability exploit. Jeffrey Quoting Ashley Thomas <athomas () cc gatech edu>:
Src port 80 seems fishy , right ? They might be trying to "hide" by using port 80 ! BTW does any one know if there can be a valid packet from src port 80 -> dest port 53 ?
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Two, two, TWO treats in one. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
- RE: 17203 portscan alerts in 23 hours from same IP Ashley Thomas (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Jeff Taylor (Jul 10)
- <Possible follow-ups>
- Re: 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Matt Kettler (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Matt Kettler (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
- RE: 17203 portscan alerts in 23 hours from same IP Ashley Thomas (Jul 10)