Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proxy Scanner?

From: John McCain <jmccain () layer3al com>
Date: 20 Dec 2002 09:33:45 -0600
I've seen this quite a bit.  Exactly the same type of scan against
exactly the same target ports.  I believe that the use of port 0 as the
source port is an attempt to evade firewall rules which apply to ports
1-65535.  Are you able/willing to discuss the origin of these scans?  I
would, but I don't remember the exact addresses, and wouldn't want to
implicate the innocent.

I think we should go back through our logs and compare notes, however.

On Fri, 2002-12-20 at 08:29, Sylar, John wrote:

Lately, I'm seeing this sort of scan alot, from assorted netblocks. Doesn't
seem to correlate to the Incidents site.
While the source port is not always 0, the destination ports are always the
same, in the same order.
Does anyone know what tool this might be? Or have some pointers to
references for reading?
Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:1080 SYN ******S*
Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:3128 SYN ******S*
Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:8000 SYN ******S*
Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:80 SYN ******S*
Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:8080 SYN ******S*
Thanks and best regards,
Sam


-------------------------------------------------------
This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
Time is running out!  Thinkgeek.com has the coolest gifts for
your favorite geek.   Let your fingers do the typing.   Visit Now.
T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-------------------------------------------------------
This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
Time is running out!  Thinkgeek.com has the coolest gifts for
your favorite geek.   Let your fingers do the typing.   Visit Now.
T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: